TaskView permission is not scoped to any dimensions e.g. Projects, environments and tenants #6331
Closed
5 tasks done
Labels
area/security
kind/bug
This issue represents a verified problem we are committed to solving
LTS/2019.12
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Prerequisites
Description
TaskView
permission is not scoped to any dimension. e.g. Scoped users who are scoped to only Tenant-A are able to view server tasks scoped to Tenant-B.Affected versions
Octopus Server:
Affects 2019.7.1 - 2020.1.11, excluding any 2019.12.* version after 2019.12.9 (inclusive).
Fixed in 2019.12.9, 2020.1.12 and master
Mitigation
NA
Workarounds
NA
Relevant Pull Request(s)
https://github.com/OctopusDeploy/OctopusDeploy/pull/5660
Relevant Private Isssue(s)
https://github.com/OctopusDeploy/OctopusDeploy/issues/5664
CVE
CVE-2020-12286
The text was updated successfully, but these errors were encountered: