Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TaskView permission is not scoped to any dimensions e.g. Projects, environments and tenants #6331

Closed
5 tasks done
andyinaus opened this issue Apr 28, 2020 · 0 comments
Closed
5 tasks done

TaskView permission is not scoped to any dimensions e.g. Projects, environments and tenants #6331

andyinaus opened this issue Apr 28, 2020 · 0 comments
Assignees
@andyinaus
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving LTS/2019.12 priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
2019.12.9

Comments

@andyinaus
Copy link

andyinaus commented Apr 28, 2020
edited

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

TaskView permission is not scoped to any dimension. e.g. Scoped users who are scoped to only Tenant-A are able to view server tasks scoped to Tenant-B.

Affected versions

Octopus Server:
Affects 2019.7.1 - 2020.1.11, excluding any 2019.12.* version after 2019.12.9 (inclusive).
Fixed in 2019.12.9, 2020.1.12 and master

Mitigation

NA

Workarounds

NA

Relevant Pull Request(s)

https://github.com/OctopusDeploy/OctopusDeploy/pull/5660

Relevant Private Isssue(s)

https://github.com/OctopusDeploy/OctopusDeploy/issues/5664

CVE

CVE-2020-12286
@andyinaus andyinaus added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security LTS/2019.12 labels Apr 28, 2020
@andyinaus andyinaus added this to the 2019.12.9 milestone Apr 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andyinaus andyinaus

Labels
area/security kind/bug This issue represents a verified problem we are committed to solving LTS/2019.12 priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Milestone
2019.12.9
Development

No branches or pull requests
1 participant
@andyinaus