Vulnerabilities (CVE)

Filtered by vendor Octopus Subscribe

Filtered by product Octopus Server

Total 45 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2019-11632	1 Octopus	2 Octopus Deploy, Octopus Server	2024-11-21	5.5 MEDIUM	8.1 HIGH
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)
CVE-2018-18850	1 Octopus	1 Octopus Server	2024-11-21	9.0 HIGH	8.8 HIGH
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).
CVE-2018-12089	1 Octopus	1 Octopus Server	2024-11-21	3.5 LOW	7.5 HIGH
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0.
CVE-2018-11320	1 Octopus	1 Octopus Server	2024-11-21	5.0 MEDIUM	9.8 CRITICAL
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
CVE-2017-11348	1 Octopus	2 Octopus Deploy, Octopus Server	2024-11-21	6.3 MEDIUM	5.7 MEDIUM
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.