Vulnerability Description
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octopus | Octopus Deploy | >= 2019.1.0, <= 2019.3.1 |
| Octopus | Octopus Server | >= 2019.4.0, <= 2019.4.5 |
Related Weaknesses (CWE)
References
- https://github.com/OctopusDeploy/Issues/issues/5528ExploitThird Party Advisory
- https://github.com/OctopusDeploy/Issues/issues/5529Third Party Advisory
- https://github.com/OctopusDeploy/Issues/issues/5528ExploitThird Party Advisory
- https://github.com/OctopusDeploy/Issues/issues/5529Third Party Advisory
FAQ
What is CVE-2019-11632?
CVE-2019-11632 is a vulnerability with a CVSS score of 8.1 (HIGH). In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could vie...
How severe is CVE-2019-11632?
CVE-2019-11632 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11632?
Check the references section above for vendor advisories and patch information. Affected products include: Octopus Octopus Deploy, Octopus Octopus Server.