Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deployment Targets visible when scoping Project/Library Variable sets for logged-in Users whose Team is not scoped to the required Environments #4407

Closed
reecewalsh opened this issue Mar 20, 2018 · 4 comments
Labels
kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible tag/permissions
Milestone

Comments

@reecewalsh
Copy link

reecewalsh commented Mar 20, 2018

CVE-2018-9039

Octopus Version:

Tested and replicated in Octopus Version 2018.3.4

Issue:

When scoping Project or Library Variables it's possible to specify specific Deployment Targets.

In this instance, however, Users are able to view deployment targets and create associated Variables despite the logged-in Users Team not being scoped to the appropriate environment.

Replication Steps:

  1. Create a new Octopus user with appropriate permissions to edit/view Project/Library variable sets

  2. Create a Team that is scoped to a specific environment (in this example the Testing environment), see below;

image

In this example, the Testing environment contains only two deployment targets Offline Package Target and Testing

image

  1. Login to Octopus as the created User

  2. Navigate to either the Variables within a Project or Library Set (In this example, this is demonstrating via the Project Variables) and create a new variable, when scoping this variable to a specific target, all targets are viewable not just the two belonging to the associated Team.

image

It is then possible to save this change as shown below;

image

Source:

https://help.octopus.com/t/users-role-is-not-filtering-accessible-deployment-targets-based-on-tenant/19298

@reecewalsh reecewalsh added kind/bug This issue represents a verified problem we are committed to solving area/modelling labels Mar 20, 2018
@octoreleasebot octoreleasebot added this to the 2018.3.7 milestone Mar 26, 2018
@octoreleasebot
Copy link

octoreleasebot commented Mar 26, 2018

Release Note: Fix a bug where users can see machines beyond their team’s scoped environments in variable editor - CVE-2018-9039

@NickJosevski NickJosevski added the priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible label Mar 27, 2018
@patricknolan
Copy link

Hi Guys,

I have upgraded to the latest version v2018.3.8 and still have the same issue.

@syntaxartisan
Copy link

What's the first version this applied to?

@lock
Copy link

lock bot commented Nov 23, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot unassigned mayuanyang Nov 23, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Nov 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible tag/permissions
Projects
None yet
Development

No branches or pull requests

7 participants