CVE-2019-11632

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)

Published: May 1, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-11632
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N

CWEs:

CWE-269

Affected Software
References

Software	From	Fixed in
octopus / octopus_deploy	2019.1.0	2019.3.1.x
octopus / octopus_server	2019.4.0	2019.4.5.x

https://github.com/OctopusDeploy/Issues/issues/5528
https://github.com/OctopusDeploy/Issues/issues/5529

Vulnerability Database

289,689

CVE-2019-11632