Total
45 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-8944 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. | |||||
CVE-2018-18850 | 1 Octopus | 1 Octopus Server | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM). | |||||
CVE-2018-11320 | 1 Octopus | 1 Octopus Server | 2024-02-28 | 5.0 MEDIUM | 9.8 CRITICAL |
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. | |||||
CVE-2018-12089 | 1 Octopus | 1 Octopus Server | 2024-02-28 | 3.5 LOW | 7.5 HIGH |
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0. | |||||
CVE-2017-11348 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-02-28 | 6.3 MEDIUM | 5.7 MEDIUM |
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. |