CVE-2018-9039

{"id": "CVE-2018-9039", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2018-03-27T03:29:00.543", "references": [{"url": "https://github.com/OctopusDeploy/Issues/issues/4407", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://github.com/OctopusDeploy/Issues/issues/4407", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://octopus.com/downloads/compare?from=2018.3.6&to=2018.3.7", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments."}, {"lang": "es", "value": "En Octopus Deploy 2.0 y posteriores, anteriores a 2018.3.7, un usuario autenticado con permisos de edici\u00f3n de variables puede averiguar algunas variables para l\u00edmites mayores que aquellos para los que deber\u00eda tener permisos. En otras palabras, los usuarios pueden visualizar m\u00e1quinas m\u00e1s a all\u00e1 de los entornos dentro de los l\u00edmites del equipo."}], "lastModified": "2024-11-21T04:14:50.350", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42EA81AB-161E-4160-B11C-9D8BC96129FA", "versionEndExcluding": "2018.3.7", "versionStartIncluding": "2.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}