Privilege Escalation via Azure Account Scoping Bypass in Octopus Deploy

Privilege Escalation via Azure Account Scoping Bypass in Octopus Deploy

CVE-2018-4862 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as to bypass the scoping restrictions, resulting in a potential escalation of privileges.

Learn more about our Azure Audit.