// For flags

CVE-2018-18850

 

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).

En Octopus Deploy, de la versión 2018.8.0 a las 2018.9.x anteriores a la 2018.9.1, un usuario autenticado con permisos para modificar los procesos de implementación podría subir una configuración YAML maliciosamente manipulada. Esto podría permitir la ejecución remota de código arbitrario, ejecutándose en el mismo contexto que el servidor Octopus (para las instalaciones autoalojadas por defecto, SYSTEM).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-10-30 CVE Reserved
  • 2018-10-31 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-11-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
References (1)
URL Tag Source
https://github.com/OctopusDeploy/Issues/issues/5042 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Octopus
Search vendor "Octopus"
 Octopus Server
Search vendor "Octopus" for product "Octopus Server"
 >= 2018.8.0 <= 2018.8.12
Search vendor "Octopus" for product "Octopus Server" and version " >= 2018.8.0 <= 2018.8.12"
-
Affected
Octopus
Search vendor "Octopus"
 Octopus Server
Search vendor "Octopus" for product "Octopus Server"
 >= 2018.9.0 < 2018.9.1
Search vendor "Octopus" for product "Octopus Server" and version " >= 2018.9.0 < 2018.9.1"
-
Affected