cbcvebase.
CVE-2018-18850
published 2018-10-31

CVE-2018-18850: In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously…

PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.47%
95.7th percentile
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).

Affected

2 ranges
VendorProductVersion rangeFixed in
octopusoctopus_server2018.8.0 – 2018.8.12
octopusoctopus_server>= 2018.9.0 < 2018.9.12018.9.1

Detection & IOCsextracted from sources · hover to see the quote

  • Look for authenticated uploads of YAML configuration files to Octopus Deploy deployment process endpoints, particularly from users with deployment process modification permissions.
  • Monitor for PowerShell script steps being injected or executed on the Octopus Deploy server during a deployment, especially those originating from API key or credential-based authentication.
  • Alert on processes spawned by the Octopus Server running as SYSTEM (self-hosted), particularly child processes of the Octopus service that are PowerShell instances.
  • Exploitation can be performed using only valid credentials or an API key — monitor for API key usage triggering deployment process modifications followed by immediate deployment execution.
  • ·Affected versions are specifically Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1; detections should be scoped to this version range to reduce false positives.
  • ·The exploit requires an authenticated session (valid credentials or API key); unauthenticated traffic to Octopus Deploy is not a vector for this CVE.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.