cvedb.io
CVE-2018-18850
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2018-10-31T03:29:00.207 · Last modified 2026-06-17T01:48:01.097

Summary

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).

Affected products

octopus — octopus_server

Does this affect you?

Add your gear to cvedb and we'll alert you only when octopus ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.