Vulnerabilities (CVE)

Filtered by vendor Octopus Subscribe
Filtered by product Octopus Server
Total 45 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-1904 1 Octopus 1 Octopus Server 2024-09-18 N/A 7.5 HIGH
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
CVE-2022-2346 1 Octopus 1 Octopus Server 2024-02-28 N/A 4.3 MEDIUM
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
CVE-2022-2416 1 Octopus 1 Octopus Server 2024-02-28 N/A 4.3 MEDIUM
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
CVE-2022-4870 1 Octopus 1 Octopus Server 2024-02-28 N/A 5.3 MEDIUM
In affected versions of Octopus Deploy it is possible to discover network details via error message
CVE-2022-4008 1 Octopus 1 Octopus Server 2024-02-28 N/A 5.5 MEDIUM
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVE-2022-2507 1 Octopus 1 Octopus Server 2024-02-28 N/A 5.3 MEDIUM
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
CVE-2022-4898 1 Octopus 1 Octopus Server 2024-02-28 N/A 5.4 MEDIUM
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS
CVE-2022-4009 1 Octopus 1 Octopus Server 2024-02-28 N/A 8.8 HIGH
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
CVE-2022-2721 1 Octopus 1 Octopus Server 2024-02-28 N/A 7.5 HIGH
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
CVE-2022-2258 1 Octopus 1 Octopus Server 2024-02-28 N/A 4.3 MEDIUM
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
CVE-2022-3460 1 Octopus 1 Octopus Server 2024-02-28 N/A 7.5 HIGH
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
CVE-2022-2259 1 Octopus 1 Octopus Server 2024-02-28 N/A 4.3 MEDIUM
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
CVE-2022-2883 1 Octopus 1 Octopus Server 2024-02-28 N/A 7.5 HIGH
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVE-2022-3614 1 Octopus 1 Octopus Server 2024-02-28 N/A 6.1 MEDIUM
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
CVE-2022-29890 1 Octopus 1 Octopus Server 2024-02-28 N/A 6.1 MEDIUM
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
CVE-2022-2783 1 Octopus 1 Octopus Server 2024-02-28 N/A 5.3 MEDIUM
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
CVE-2022-2572 1 Octopus 1 Octopus Server 2024-02-28 N/A 9.8 CRITICAL
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
CVE-2022-2781 1 Octopus 1 Octopus Server 2024-02-28 N/A 5.3 MEDIUM
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
CVE-2022-2778 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-02-28 N/A 9.8 CRITICAL
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
CVE-2022-30532 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-02-28 N/A 5.3 MEDIUM
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.