Vulnerability Details CVE-2018-12089
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 3.5
References
Products affected by CVE-2018-12089
-
cpe:2.3:a:octopus:octopus_server:2018.5.1
-
cpe:2.3:a:octopus:octopus_server:2018.5.2
-
cpe:2.3:a:octopus:octopus_server:2018.5.3
-
cpe:2.3:a:octopus:octopus_server:2018.5.4
-
cpe:2.3:a:octopus:octopus_server:2018.5.5
-
cpe:2.3:a:octopus:octopus_server:2018.5.6
-
cpe:2.3:a:octopus:octopus_server:2018.5.7