Variable[View/Edit]Unscoped permissions don't comply with project scoping (CVE-2019-11632) #5528
Closed
4 tasks done
Labels
area/security
feature/permissions
kind/bug
This issue represents a verified problem we are committed to solving
LTS/2019.3
This issue affects 2019.3 LTS
tag/regression
This issue was addressed and shipped, but subsequently broken in another release
Milestone
Prerequisites
Description
The
VariableViewUnscopedandVariableEditUnscopedpermissions can be scoped to projects. As part of the permissions redesign we did during the spaces project, this behavior was lost, which means these permissions can no longer be scoped to projects. Granting a user these permissions gives them access to unscoped variables in all projects, regardless of how this permission has been scoped.Repro steps
VariableViewUnscopedscoped to [Foo]Expected result
This user should not be able to view the Unscoped variable within OctoFX, because their
VariableViewUnscopedpermissions was not scoped to the OctoFX project.Actual result
This user is able to see the unscoped variables from the project OctoFX, regardless of how their
VariableViewUnscopedpermission has been scoped.Screenshots
In 2018.10.6 (working)
With this permissions setup

You can only view the one variable in OctoFX

In 2019.4.4 (failing)
With this permissions setup

You can view all unscoped variables in OctoFX

Details
These affected permissions are not used by an built in roles in Octopus. If you are using built in roles only, then you will not be affected.
Affected versions of Octopus Server
2019.1.0-2019.3.1(inclusive), and2019.4.0-2019.4.5(inclusive)Workarounds
There is no known way of preserving the same access control that existed before this regression was introduced.
Until an upgrade can be performed to a version of Octopus Server where this bug has been fixed, It is recommended that the
VariableViewUnscopedandVariableEditUnscopedpermissions are revoked where possible and only highly privileged users (eg. admins or space managers) are granted these permissions.The text was updated successfully, but these errors were encountered: