CVE-2018-5706
First published: Tue Jan 16 2018(Updated: )
An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permissions even if they didn't have them, as demonstrated by use of the RoleEdit or TeamEdit permission.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Octopus Deploy | <4.1.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-5706?
CVE-2018-5706 is classified as a medium severity vulnerability.
How does CVE-2018-5706 affect Octopus Deploy?
CVE-2018-5706 allows any user with user editing permissions to elevate their privileges to Administer System.
What versions of Octopus Deploy are affected by CVE-2018-5706?
CVE-2018-5706 affects all versions of Octopus Deploy prior to 4.1.9.
How do I fix CVE-2018-5706?
To fix CVE-2018-5706, upgrade Octopus Deploy to version 4.1.9 or later.
What permissions are misconfigured in CVE-2018-5706?
CVE-2018-5706 involves misconfigured RoleEdit or TeamEdit permissions that allow unauthorized privilege escalation.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/octopus
- canonical/octopus deploy