Total
45 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-1904 | 1 Octopus | 1 Octopus Server | 2024-09-18 | N/A | 7.5 HIGH |
| In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. | |||||
| CVE-2022-2346 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 4.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | |||||
| CVE-2022-2416 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 4.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | |||||
| CVE-2022-4870 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible to discover network details via error message | |||||
| CVE-2022-4008 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 5.5 MEDIUM |
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | |||||
| CVE-2022-2507 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage | |||||
| CVE-2022-4898 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 5.4 MEDIUM |
| In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS | |||||
| CVE-2022-4009 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 8.8 HIGH |
| In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation | |||||
| CVE-2022-2721 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 7.5 HIGH |
| In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. | |||||
| CVE-2022-2258 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 4.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items | |||||
| CVE-2022-3460 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 7.5 HIGH |
| In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. | |||||
| CVE-2022-2259 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 4.3 MEDIUM |
| In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items | |||||
| CVE-2022-2883 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 7.5 HIGH |
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | |||||
| CVE-2022-3614 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 6.1 MEDIUM |
| In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | |||||
| CVE-2022-29890 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 6.1 MEDIUM |
| In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | |||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | |||||
| CVE-2022-2572 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 9.8 CRITICAL |
| In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | |||||
| CVE-2022-2781 | 1 Octopus | 1 Octopus Server | 2024-02-28 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | |||||
| CVE-2022-2778 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-02-28 | N/A | 9.8 CRITICAL |
| In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. | |||||
| CVE-2022-30532 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-02-28 | N/A | 5.3 MEDIUM |
| In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy. | |||||