CVE-2020-10678: 
Octopus Deploy vulnerability analysis and mitigation

In Octopus Deploy before version 2020.1.5, a security vulnerability was identified that affected customers running on-premises Active Directory linked to their Octopus server. The vulnerability (CVE-2020-10678) allowed an authenticated user to leverage a bug to escalate privileges. The issue was discovered and disclosed in March 2020 (Octopus Issues).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires network access, low attack complexity, low privileges, no user interaction, and has high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability could allow an authenticated attacker to escalate their privileges within the Octopus Deploy system, potentially gaining unauthorized access to sensitive resources and functionality. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in Octopus Deploy version 2020.1.5 and was also backported to versions 2019.9.15 and 2019.12.8. Organizations should upgrade to one of these patched versions to protect against this vulnerability (Octopus Issues).