Octopus comes with a set of built in teams and roles and permissions. TeamEdit and RoleEdit are two very powerful permissions that are only granted to the built-in System Administrator role.
Some customers create their own teams and roles, or customize the built-in roles. If a customer grants the TeamEdit or RoleEdit permissions to a "lower level" role/team - members of that team can edit their role/team to escalate their effective permissions.
Vulnerability
When the built-in roles have been misconfigured, or custom roles have been constructed and misconfigured, users in the misconfigured teams/roles can edit their team/role to escalate their effective permissions.
Mitigation
Prior to Octopus 4.1.9 Ensure the teams which are granted the TeamEdit and/or RoleEdit permissions are trusted to modify the effective permissions of any user in your Octopus installation, including their own. The built-in roles and teams that come with Octopus follow this practice already.
After Octopus 4.1.9 Octopus will now actively prevent any user from escalating their effective permissions.
Affected versions
Octopus Server up to 4.1.9. Fixed in Octopus Server 4.1.9 and later.
The text was updated successfully, but these errors were encountered:
Release Note: Fixed a security vulnerability where incorrectly configured user roles and teams would allow members of those teams to escalate their own permissions - Octopus now actively prevents any user from escalating their own effective set of permissions - CVE-2018-5706
michaelnoonan
changed the title
Block team editing when the user tries to escalate privileges
Prevent escalation of privileges beyond the effective scope of the current user
Jan 18, 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.
lockbot
locked as resolved and limited conversation to collaborators
Nov 23, 2018
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
area/securitykind/bugThis issue represents a verified problem we are committed to solving
2 participants
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.
CVE-2018-5706
Octopus comes with a set of built in teams and roles and permissions.
TeamEditandRoleEditare two very powerful permissions that are only granted to the built-inSystem Administratorrole.Some customers create their own teams and roles, or customize the built-in roles. If a customer grants the
TeamEditorRoleEditpermissions to a "lower level" role/team - members of that team can edit their role/team to escalate their effective permissions.Vulnerability
When the built-in roles have been misconfigured, or custom roles have been constructed and misconfigured, users in the misconfigured teams/roles can edit their team/role to escalate their effective permissions.
Mitigation
Prior to Octopus 4.1.9 Ensure the teams which are granted the
TeamEditand/orRoleEditpermissions are trusted to modify the effective permissions of any user in your Octopus installation, including their own. The built-in roles and teams that come with Octopus follow this practice already.After Octopus 4.1.9 Octopus will now actively prevent any user from escalating their effective permissions.
Affected versions
Octopus Server up to
4.1.9. Fixed in Octopus Server4.1.9and later.The text was updated successfully, but these errors were encountered: