Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent escalation of privileges beyond the effective scope of the current user #4167

Closed
distantcam opened this issue Jan 16, 2018 · 3 comments
Assignees
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving
Milestone

Comments

@distantcam
Copy link

distantcam commented Jan 16, 2018

CVE-2018-5706

Octopus comes with a set of built in teams and roles and permissions. TeamEdit and RoleEdit are two very powerful permissions that are only granted to the built-in System Administrator role.

Some customers create their own teams and roles, or customize the built-in roles. If a customer grants the TeamEdit or RoleEdit permissions to a "lower level" role/team - members of that team can edit their role/team to escalate their effective permissions.

Vulnerability

When the built-in roles have been misconfigured, or custom roles have been constructed and misconfigured, users in the misconfigured teams/roles can edit their team/role to escalate their effective permissions.

Mitigation

Prior to Octopus 4.1.9 Ensure the teams which are granted the TeamEdit and/or RoleEdit permissions are trusted to modify the effective permissions of any user in your Octopus installation, including their own. The built-in roles and teams that come with Octopus follow this practice already.

After Octopus 4.1.9 Octopus will now actively prevent any user from escalating their effective permissions.

Affected versions

Octopus Server up to 4.1.9. Fixed in Octopus Server 4.1.9 and later.

@distantcam distantcam added kind/bug This issue represents a verified problem we are committed to solving area/security labels Jan 16, 2018
@distantcam distantcam self-assigned this Jan 16, 2018
@distantcam
Copy link
Author

Fixed by OctopusDeploy/OctopusDeploy#1745

@octoreleasebot octoreleasebot added this to the 4.1.9 milestone Jan 16, 2018
@octoreleasebot
Copy link

octoreleasebot commented Jan 16, 2018

Release Note: Fixed a security vulnerability where incorrectly configured user roles and teams would allow members of those teams to escalate their own permissions - Octopus now actively prevents any user from escalating their own effective set of permissions - CVE-2018-5706

@michaelnoonan michaelnoonan changed the title Block team editing when the user tries to escalate privileges Prevent escalation of privileges beyond the effective scope of the current user Jan 18, 2018
@lock
Copy link

lock bot commented Nov 23, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving
Projects
None yet
Development

No branches or pull requests

2 participants