Total
45 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-2778 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2023-12-10 | N/A | 9.8 CRITICAL |
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. | |||||
CVE-2022-2508 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 5.3 MEDIUM |
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. | |||||
CVE-2022-2049 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2023-12-10 | N/A | 7.5 HIGH |
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. | |||||
CVE-2022-2075 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2023-12-10 | N/A | 7.5 HIGH |
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. | |||||
CVE-2022-30532 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2023-12-10 | N/A | 5.3 MEDIUM |
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy. | |||||
CVE-2022-1901 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2023-12-10 | N/A | 5.3 MEDIUM |
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. | |||||
CVE-2022-2572 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 9.8 CRITICAL |
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | |||||
CVE-2022-2720 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 5.3 MEDIUM |
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. | |||||
CVE-2022-29890 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 6.1 MEDIUM |
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | |||||
CVE-2022-2760 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 4.3 MEDIUM |
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. | |||||
CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 5.3 MEDIUM |
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | |||||
CVE-2022-2828 | 1 Octopus | 1 Octopus Server | 2023-12-10 | N/A | 6.5 MEDIUM |
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability | |||||
CVE-2022-1670 | 1 Octopus | 1 Octopus Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users. | |||||
CVE-2021-26556 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2023-12-10 | 4.4 MEDIUM | 7.8 HIGH |
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | |||||
CVE-2022-23184 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | |||||
CVE-2021-31820 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. | |||||
CVE-2020-16197 | 1 Octopus | 2 Octopus Server, Server | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation. | |||||
CVE-2019-15698 | 1 Octopus | 1 Octopus Server | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10. | |||||
CVE-2019-14525 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call. | |||||
CVE-2019-11632 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2023-12-10 | 5.5 MEDIUM | 8.1 HIGH |
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.) |