CVE-2017-15611

Published: Oct 19, 2017Modified: May 13, 2026

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.

Affected (1)

Products: Octopus: Octopus Deploy

Octopus

1 product

Octopus Deploy

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Octopus Octopus Deploy	Up to 3.17.6

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://github.com/OctopusDeploy/Issues/issues/3864

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/OctopusDeploy/Issues/issues/3864

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

Timeline

No history available yet.