CVE-2017-17665

HIGH

8.8

CVSS Severity Score

EPSS Score0.0300%

EPSS Percentile20.84th

PublishedDec 13, 2017

Last ModifiedMay 13, 2026

Vulnerability Description

In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to which a machine is scoped may include environments in which the user lacks access.

Affected Platforms (CPE)

📦

Octopus

Octopus Deploy

< 4.1.3

References & Advisories

🔗 https://github.com/OctopusDeploy/Issues/issues/4073

Related Vulnerabilities

CVE-2018-113209.8

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfus...

CVE-2018-57068.8

An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves...

CVE-2018-48628.8

In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an A...

CVE-2018-188508.8

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes ...