Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Variable[View/Edit]Unscoped permissions don't comply with project scoping (CVE-2019-11632) #5528

Closed
4 tasks done
TomPeters opened this issue May 1, 2019 · 3 comments
Closed
4 tasks done
Assignees
Labels
area/security feature/permissions kind/bug This issue represents a verified problem we are committed to solving LTS/2019.3 This issue affects 2019.3 LTS tag/regression This issue was addressed and shipped, but subsequently broken in another release
Milestone

Comments

@TomPeters
Copy link

TomPeters commented May 1, 2019

Prerequisites

Description

The VariableViewUnscoped and VariableEditUnscoped permissions can be scoped to projects. As part of the permissions redesign we did during the spaces project, this behavior was lost, which means these permissions can no longer be scoped to projects. Granting a user these permissions gives them access to unscoped variables in all projects, regardless of how this permission has been scoped.

Repro steps

  1. Create a project (eg OctoFX) with some variables that are unscoped, and some variables that are scoped to an environment (eg Development)
    image
  2. Create another unrelated project (eg Foo)
  3. Configure a separate user that has the following permissions
  • The "Project Contributor" role scoped to [OctoFX, Development]
  • VariableViewUnscoped scoped to [Foo]
  1. As that user, try to view the variables for the project OctoFX

Expected result

This user should not be able to view the Unscoped variable within OctoFX, because their VariableViewUnscoped permissions was not scoped to the OctoFX project.

Actual result

This user is able to see the unscoped variables from the project OctoFX, regardless of how their VariableViewUnscoped permission has been scoped.

Screenshots

In 2018.10.6 (working)

With this permissions setup
image

You can only view the one variable in OctoFX
image

In 2019.4.4 (failing)

With this permissions setup
image

You can view all unscoped variables in OctoFX
image

Details

These affected permissions are not used by an built in roles in Octopus. If you are using built in roles only, then you will not be affected.

Affected versions of Octopus Server

2019.1.0 - 2019.3.1 (inclusive), and 2019.4.0 - 2019.4.5 (inclusive)

Workarounds

There is no known way of preserving the same access control that existed before this regression was introduced.

Until an upgrade can be performed to a version of Octopus Server where this bug has been fixed, It is recommended that the VariableViewUnscoped and VariableEditUnscoped permissions are revoked where possible and only highly privileged users (eg. admins or space managers) are granted these permissions.

@TomPeters TomPeters added kind/bug This issue represents a verified problem we are committed to solving area/security feature/permissions tag/regression This issue was addressed and shipped, but subsequently broken in another release labels May 1, 2019
@TomPeters TomPeters self-assigned this May 1, 2019
@TomPeters TomPeters added this to the 2019.4.6 milestone May 1, 2019
@TomPeters
Copy link
Author

TomPeters commented May 1, 2019

Release Note: Fixed an access control bug where project scoping was not being applied for VariableViewUnscoped and VariableEditUnscoped permissions (CVE-2019-11632)

@TomPeters
Copy link
Author

@octoreleasebot octoreleasebot removed this from the 2019.4.6 milestone May 1, 2019
@TomPeters TomPeters added this to the 2019.4.6 milestone May 1, 2019
@TomPeters TomPeters changed the title Variable[View/Edit]Unscoped permissions don't comply with project scoping Variable[View/Edit]Unscoped permissions don't comply with project scoping (CVE-2019-11632) May 1, 2019
@slewis74 slewis74 modified the milestones: 2019.4.6, 2019.4.7 May 2, 2019
@michaelnoonan michaelnoonan added the LTS/2019.3 This issue affects 2019.3 LTS label May 2, 2019
@lock
Copy link

lock bot commented Jul 31, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Jul 31, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/security feature/permissions kind/bug This issue represents a verified problem we are committed to solving LTS/2019.3 This issue affects 2019.3 LTS tag/regression This issue was addressed and shipped, but subsequently broken in another release
Projects
None yet
Development

No branches or pull requests

4 participants