Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Variable[View/Edit]Unscoped permissions don't comply with project scoping (CVE-2019-11632) #5528

Closed
TomPeters opened this issue May 1, 2019 · 2 comments

Comments

Projects
None yet
4 participants
@TomPeters
Copy link

commented May 1, 2019

Prerequisites

Description

The VariableViewUnscoped and VariableEditUnscoped permissions can be scoped to projects. As part of the permissions redesign we did during the spaces project, this behavior was lost, which means these permissions can no longer be scoped to projects. Granting a user these permissions gives them access to unscoped variables in all projects, regardless of how this permission has been scoped.

Repro steps

  1. Create a project (eg OctoFX) with some variables that are unscoped, and some variables that are scoped to an environment (eg Development)
    image
  2. Create another unrelated project (eg Foo)
  3. Configure a separate user that has the following permissions
  • The "Project Contributor" role scoped to [OctoFX, Development]
  • VariableViewUnscoped scoped to [Foo]
  1. As that user, try to view the variables for the project OctoFX

Expected result

This user should not be able to view the Unscoped variable within OctoFX, because their VariableViewUnscoped permissions was not scoped to the OctoFX project.

Actual result

This user is able to see the unscoped variables from the project OctoFX, regardless of how their VariableViewUnscoped permission has been scoped.

Screenshots

In 2018.10.6 (working)

With this permissions setup
image

You can only view the one variable in OctoFX
image

In 2019.4.4 (failing)

With this permissions setup
image

You can view all unscoped variables in OctoFX
image

Details

These affected permissions are not used by an built in roles in Octopus. If you are using built in roles only, then you will not be affected.

Affected versions of Octopus Server

2019.1.0 - 2019.3.1 (inclusive), and 2019.4.0 - 2019.4.5 (inclusive)

Workarounds

There is no known way of preserving the same access control that existed before this regression was introduced.

Until an upgrade can be performed to a version of Octopus Server where this bug has been fixed, It is recommended that the VariableViewUnscoped and VariableEditUnscoped permissions are revoked where possible and only highly privileged users (eg. admins or space managers) are granted these permissions.

@TomPeters

This comment has been minimized.

Copy link
Author

commented May 1, 2019

Release Note: Fixed an access control bug where project scoping was not being applied for VariableViewUnscoped and VariableEditUnscoped permissions (CVE-2019-11632)

@TomPeters TomPeters closed this May 1, 2019

@TomPeters

This comment has been minimized.

Copy link
Author

commented May 1, 2019

@octoreleasebot octoreleasebot removed this from the 2019.4.6 milestone May 1, 2019

@TomPeters TomPeters added this to the 2019.4.6 milestone May 1, 2019

@TomPeters TomPeters changed the title Variable[View/Edit]Unscoped permissions don't comply with project scoping Variable[View/Edit]Unscoped permissions don't comply with project scoping (CVE-2019-11632) May 1, 2019

@slewis74 slewis74 modified the milestones: 2019.4.6, 2019.4.7 May 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.