Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-18850: Remote Code Execution via malicious YAML configurations in some versions · Issue #5042 · OctopusDeploy/Issues

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).

CVE
#rce#auth

Description

An authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).

If this issue is of concern to you and your team, we strongly recommend upgrading to version 2018.9.1.

CVE-2018-18850

Affected versions

Octopus Server:
versions 2018.8.0-2018.9.0, inclusive.

Mitigation

In any version affected by this issue, we recommend upgrading to version 2018.9.1.

Workarounds

In situations where upgrade is not possible, running the octopus server built in worker as a service account with limited privileges may help to minimize the potential impact of such an occurrence, however this will not prevent attackers from attempting to chain other attacks against the server.

https://octopus.com/docs/administration/security/hardening-octopus#prevent-user-provided-scripts-from-doing-harm

https://octopus.com/docs/administration/workers/built-in-worker#running-tasks-on-the-octopus-server-as-a-different-user

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907