CVE-2018-10550 : In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were no

In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.

Published 2018-04-30 04:29:00

Updated 2019-10-03 00:03:26

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2018-10550

Octopus » Octopus Deploy
Versions before (<) 2018.4.7
cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 51 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Assigned by: nvd@nist.gov (Primary)

https://github.com/OctopusDeploy/Issues/issues/4454

User from tenant scoped team can see machines that do not scope to the tenant · Issue #4454 · OctopusDeploy/Issues · GitHub
Issue Tracking;Third Party Advisory

Jump to