CVE-2018-12089

In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0.

CVSS v3 7.5 HIGH
CVSS v2.0 3.5 LOW

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/OctopusDeploy/Issues/issues/4628	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-06-11 10:29

Updated : 2024-02-28 16:25

NVD link : CVE-2018-12089

Mitre link : CVE-2018-12089

CVE.ORG link : CVE-2018-12089

JSON object : View

Products Affected

octopus

octopus_server

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2018-12089", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2018-06-11T10:29:00.360", "references": [{"url": "https://github.com/OctopusDeploy/Issues/issues/4628", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0."}, {"lang": "es", "value": "Desde la versi\u00f3n 2018.5.1 hasta la 2018.5.7 de Octopus Deploy, un usuario con Task View puede visualizar una contrase\u00f1a para un Service Fabric Cluster, cuando el objetivo del Service Fabric Cluster est\u00e1 configurado en el modo de seguridad Azure Active Directory y se ejecuta una implementaci\u00f3n con el valor de OctopusPrintVariables en \"True\". Esto se ha solucionado en la versi\u00f3n 2018.6.0."}], "lastModified": "2022-07-27T15:40:53.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DD668AE-4B39-44E7-ACE3-52B4809B42AD", "versionEndIncluding": "2018.5.7", "versionStartIncluding": "2018.5.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}