CVE-2018-18850
published 2018-10-31CVE-2018-18850: In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously…
PriorityP266high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.47%
95.7th percentile
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| octopus | octopus_server | 2018.8.0 – 2018.8.12 | — |
| octopus | octopus_server | >= 2018.9.0 < 2018.9.1 | 2018.9.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for authenticated uploads of YAML configuration files to Octopus Deploy deployment process endpoints, particularly from users with deployment process modification permissions. ↗
- →Monitor for PowerShell script steps being injected or executed on the Octopus Deploy server during a deployment, especially those originating from API key or credential-based authentication. ↗
- →Alert on processes spawned by the Octopus Server running as SYSTEM (self-hosted), particularly child processes of the Octopus service that are PowerShell instances. ↗
- →Exploitation can be performed using only valid credentials or an API key — monitor for API key usage triggering deployment process modifications followed by immediate deployment execution. ↗
- ·Affected versions are specifically Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1; detections should be scoped to this version range to reduce false positives. ↗
- ·The exploit requires an authenticated session (valid credentials or API key); unauthenticated traffic to Octopus Deploy is not a vector for this CVE. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-10-31
Published