First published: Tue Apr 28 2020(Updated: )
In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. For example, a scoped user who is scoped to only one tenant can view server tasks scoped to any other tenant.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Octopus Octopus Deploy | <2019.12.9 | |
Octopus Octopus Deploy | >=2020.1<2020.1.12 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-12286 is a vulnerability in Octopus Deploy before version 2019.12.9 and 2020 before version 2020.1.12 where the TaskView permission is not scoped to any dimension.
The severity of CVE-2020-12286 is medium with a CVSS score of 4.3.
CVE-2020-12286 affects Octopus Deploy versions before 2019.12.9 and 2020 before 2020.1.12 by allowing scoped users to view server tasks scoped to any other tenant.
To fix the CVE-2020-12286 vulnerability, you should update Octopus Deploy to version 2019.12.9 or later, or version 2020.1.12 or later.
You can find more information about CVE-2020-12286 on the Octopus Deploy GitHub Issues page: [link].