All the vulnerabilites related to Octopus Deploy - Octopus Server
cve-2022-1670
Vulnerability from cvelistv5
Published
2022-05-19 04:25
Modified
2024-08-03 00:10
Severity
Summary
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-04/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2021.3.12533",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.1.53",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User invitation limit in Octopus Server can be exceeded",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T04:25:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.12533"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.53"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User invitation limit in Octopus Server can be exceeded"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-04/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1670",
"datePublished": "2022-05-19T04:25:09",
"dateReserved": "2022-05-11T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-30532
Vulnerability from cvelistv5
Published
2022-07-19 06:50
Modified
2024-08-03 06:48
Severity
Summary
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-08/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:36.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-08/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2021.3.13021",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.2849",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.2387",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Logging",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-19T06:50:10",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-08/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-30532",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.13021"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.2121"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2849"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.2387"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Logging"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-08/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-08/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-30532",
"datePublished": "2022-07-19T06:50:10",
"dateReserved": "2022-06-06T00:00:00",
"dateUpdated": "2024-08-03T06:48:36.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2783
Vulnerability from cvelistv5
Published
2022-10-06 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-17/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.12.0",
"versionType": "custom"
},
{
"lessThan": "2022.1.3154",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7897",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-11T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-17/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2783",
"datePublished": "2022-10-06T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2778
Vulnerability from cvelistv5
Published
2022-09-30 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-15/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2022.2.8277",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.1371",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Rate Limit Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-15/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2778",
"datePublished": "2022-09-30T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2346
Vulnerability from cvelistv5
Published
2023-08-02 01:09
Modified
2024-08-03 00:32
Severity
Summary
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-10/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.4.9997",
"status": "affected",
"version": "2019.4.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.10235",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2023.2.10545",
"status": "affected",
"version": "2023.2.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints."
}
],
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Guest user with low permissions able to interact with extension endpoints",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T02:02:12.977Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-10/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2346",
"datePublished": "2023-08-02T01:09:01.761Z",
"dateReserved": "2022-07-08T05:52:42.083Z",
"dateUpdated": "2024-08-03T00:32:09.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3460
Vulnerability from cvelistv5
Published
2023-01-02 00:00
Modified
2024-08-03 01:07
Severity
Summary
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-25/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.3.1",
"versionType": "custom"
},
{
"lessThan": "2021.3.13150",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.3281",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.7897",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8221",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposure of Sensitive Information Through Environmental Variables",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-02T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-25/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-3460",
"datePublished": "2023-01-02T00:00:00",
"dateReserved": "2022-10-11T00:00:00",
"dateUpdated": "2024-08-03T01:07:06.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4870
Vulnerability from cvelistv5
Published
2023-05-18 00:00
Modified
2024-08-03 01:55
Severity
Summary
In affected versions of Octopus Deploy it is possible to discover network details via error message
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:45.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-09/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.9879",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to discover network details via error message"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Network discovery via error message detail",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-09/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4870",
"datePublished": "2023-05-18T00:00:00",
"dateReserved": "2023-01-03T00:00:00",
"dateUpdated": "2024-08-03T01:55:45.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2782
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-21/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.2.8351",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.2898",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Session Expiration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-21/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2782",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2507
Vulnerability from cvelistv5
Published
2023-04-19 00:00
Modified
2024-08-03 00:39
Severity
Summary
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-06/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10957",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8332",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.1.6715",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Weak Content Security Policy Header",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-19T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-06/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2507",
"datePublished": "2023-04-19T00:00:00",
"dateReserved": "2022-07-22T00:00:00",
"dateUpdated": "2024-08-03T00:39:07.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2508
Vulnerability from cvelistv5
Published
2022-10-27 00:00
Modified
2024-08-03 00:39
Severity
Summary
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-22/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.3264",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.8351",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.2898",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-27T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-22/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2508",
"datePublished": "2022-10-27T00:00:00",
"dateReserved": "2022-07-22T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4811
Vulnerability from cvelistv5
Published
2024-07-25 04:46
Modified
2024-08-01 20:55
Severity
Summary
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T13:17:06.536166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T18:50:14.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:09.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-05/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.8608",
"status": "affected",
"version": "2023.1",
"versionType": "custom"
},
{
"lessThan": "2024.1.12759",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts."
}
],
"value": "In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Access to failed project imports in restricted spaces",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T04:46:43.523Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-05/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4811",
"datePublished": "2024-07-25T04:46:43.523Z",
"dateReserved": "2024-05-13T02:06:31.944Z",
"dateUpdated": "2024-08-01T20:55:09.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2074
Vulnerability from cvelistv5
Published
2022-08-19 09:00
Modified
2024-08-03 00:24
Severity
Summary
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-11/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-11/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6872",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regex Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T09:00:20",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-11/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2074",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6872"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regex Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-11/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-11/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2074",
"datePublished": "2022-08-19T09:00:20",
"dateReserved": "2022-06-14T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4456
Vulnerability from cvelistv5
Published
2024-05-08 00:46
Modified
2024-08-01 20:40
Severity
Summary
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T15:05:42.820687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:55:09.003Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.3.13361",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2023.4.8338",
"status": "affected",
"version": "2023.4.296",
"versionType": "custom"
},
{
"lessThan": "2024.1.11127",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page."
}
],
"value": "In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS in Audit Page",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-08T00:58:15.876Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-04/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4456",
"datePublished": "2024-05-08T00:46:31.887Z",
"dateReserved": "2024-05-03T06:20:51.354Z",
"dateUpdated": "2024-08-01T20:40:47.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4009
Vulnerability from cvelistv5
Published
2023-03-16 00:00
Modified
2024-08-03 01:27
Severity
Summary
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-05/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.19",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.1.4189",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command injection via offline package creation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-16T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-05/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4009",
"datePublished": "2023-03-16T00:00:00",
"dateReserved": "2022-11-16T00:00:00",
"dateUpdated": "2024-08-03T01:27:54.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2781
Vulnerability from cvelistv5
Published
2022-10-06 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-16/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.2.10",
"versionType": "custom"
},
{
"lessThan": "2022.1.3154",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7897",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Encryption",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-11T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-16/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2781",
"datePublished": "2022-10-06T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2572
Vulnerability from cvelistv5
Published
2022-11-01 00:00
Modified
2024-08-03 00:39
Severity
Summary
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-23/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.5",
"versionType": "custom"
},
{
"lessThan": "2022.1.3264",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.8277",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.2898",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-23/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2572",
"datePublished": "2022-11-01T00:00:00",
"dateReserved": "2022-07-29T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26556
Vulnerability from cvelistv5
Published
2021-10-07 01:00
Modified
2024-08-03 20:26
Severity
Summary
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:26:25.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-%28CVE-2021-26556%29.1733296189.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2020.4.229",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2020.5.0",
"versionType": "custom"
},
{
"lessThan": "2020.5.256",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local privilege escalation in Octopus Server (Windows)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-07T01:00:12",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-%28CVE-2021-26556%29.1733296189.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-26556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2020.4.229"
},
{
"version_affected": "\u003e=",
"version_value": "2020.5.0"
},
{
"version_affected": "\u003c",
"version_value": "2020.5.256"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local privilege escalation in Octopus Server (Windows)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-(CVE-2021-26556).1733296189.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-(CVE-2021-26556).1733296189.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-26556",
"datePublished": "2021-10-07T01:00:12",
"dateReserved": "2021-02-02T00:00:00",
"dateUpdated": "2024-08-03T20:26:25.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-6972
Vulnerability from cvelistv5
Published
2024-07-25 05:16
Modified
2024-08-01 21:45
Severity
Summary
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:56:25.168310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:56:32.509Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-06/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.1.12759",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text."
}
],
"value": "In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Variables exposed in TaskLogs",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T05:16:49.256Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-06/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-6972",
"datePublished": "2024-07-25T05:16:49.256Z",
"dateReserved": "2024-07-22T02:03:32.352Z",
"dateUpdated": "2024-08-01T21:45:38.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1904
Vulnerability from cvelistv5
Published
2023-12-14 07:23
Modified
2024-08-02 06:05
Severity
Summary
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-12/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.7897",
"versionType": "custom"
},
{
"lessThan": "2023.1.11942",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.2.13151",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.3.5049",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.\u003c/p\u003e"
}
],
"value": "In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OpenID client secret logged in plain text during configuration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T07:23:08.589Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-12/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-1904",
"datePublished": "2023-12-14T07:23:08.589Z",
"dateReserved": "2023-04-06T06:30:38.789Z",
"dateUpdated": "2024-08-02T06:05:26.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2013
Vulnerability from cvelistv5
Published
2022-06-12 23:50
Modified
2024-08-03 00:24
Severity
Summary
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-05/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-05/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.1495",
"versionType": "custom"
},
{
"lessThan": "2022.1.2647",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-12T23:50:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-05/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2013",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2022.1.1495"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2647"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-05/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-05/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2013",
"datePublished": "2022-06-12T23:50:09",
"dateReserved": "2022-06-07T00:00:00",
"dateUpdated": "2024-08-03T00:24:43.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4509
Vulnerability from cvelistv5
Published
2024-04-17 23:10
Modified
2024-08-02 07:31
Severity
Summary
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2024.2.101 ",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T19:18:35.698764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:27:23.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-02/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.296",
"status": "affected",
"version": "2018.9",
"versionType": "custom"
},
{
"lessThan": "2024.1.437",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.101",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt."
}
],
"value": "It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "API key disclosed in Octopus Server audit log",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-17T23:10:37.111Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-02/"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-4509",
"datePublished": "2024-04-17T23:10:37.111Z",
"dateReserved": "2023-08-24T03:00:03.168Z",
"dateUpdated": "2024-08-02T07:31:05.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4226
Vulnerability from cvelistv5
Published
2024-04-30 01:53
Modified
2024-08-01 20:33
Severity
Summary
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T18:03:49.095055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:55:44.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/SA2024-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.2.7934",
"status": "affected",
"version": "2022.2.5205",
"versionType": "custom"
},
{
"lessThan": "2022.3.9163",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed."
}
],
"value": "It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Users with no permissions can see all users",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-30T01:53:34.277Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/SA2024-03/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4226",
"datePublished": "2024-04-30T01:53:34.277Z",
"dateReserved": "2024-04-26T03:52:25.114Z",
"dateUpdated": "2024-08-01T20:33:52.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31816
Vulnerability from cvelistv5
Published
2021-07-08 10:43
Modified
2024-08-03 23:10
Severity
Summary
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31816%29.2121793537.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2020.6.5146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7316",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext Storage of Sensitive Information (Windows)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T10:43:39",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31816%29.2121793537.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31816",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5146"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7316"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext Storage of Sensitive Information (Windows)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31816).2121793537.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31816).2121793537.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31816",
"datePublished": "2021-07-08T10:43:39",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2780
Vulnerability from cvelistv5
Published
2022-10-14 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-20/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.2.994",
"versionType": "custom"
},
{
"lessThan": "2022.1.3180",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7965",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass by Capture-Replay",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-20/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2780",
"datePublished": "2022-10-14T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31820
Vulnerability from cvelistv5
Published
2021-08-18 10:43
Modified
2024-08-03 23:10
Severity
Summary
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:29.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-%28CVE-2021-31820%29.2193063986.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.8.2",
"versionType": "custom"
},
{
"lessThan": "2020.6.5310",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7622",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Proxy Password Stored in Plaintext",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-18T10:43:57",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-%28CVE-2021-31820%29.2193063986.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31820",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2018.8.2"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5310"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7622"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Proxy Password Stored in Plaintext"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-(CVE-2021-31820).2193063986.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-(CVE-2021-31820).2193063986.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31820",
"datePublished": "2021-08-18T10:43:57",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:29.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3614
Vulnerability from cvelistv5
Published
2023-01-03 00:00
Modified
2024-08-03 01:14
Severity
Summary
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-26/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.5.1",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8063",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-26/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-3614",
"datePublished": "2023-01-03T00:00:00",
"dateReserved": "2022-10-19T00:00:00",
"dateUpdated": "2024-08-03T01:14:02.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31818
Vulnerability from cvelistv5
Published
2021-06-17 13:22
Modified
2024-08-03 23:10
Severity
Summary
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-%28CVE-2021-31818%29.2013233248.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.9.17",
"versionType": "custom"
},
{
"lessThan": "2020.6.5146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7316",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn\u2019t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-17T13:22:17",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-%28CVE-2021-31818%29.2013233248.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2018.9.17"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5146"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7316"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn\u2019t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-(CVE-2021-31818).2013233248.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-(CVE-2021-31818).2013233248.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31818",
"datePublished": "2021-06-17T13:22:17",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2416
Vulnerability from cvelistv5
Published
2023-08-02 05:26
Modified
2024-08-03 00:39
Severity
Summary
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.800Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-11/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.4.9997",
"status": "affected",
"version": "2019.4.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.10235",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2023.2.10545",
"status": "affected",
"version": "2023.2.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment."
}
],
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Blind SSRF vulnerability that allows enumeration/recon of an environment",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T05:26:10.773Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-11/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2416",
"datePublished": "2023-08-02T05:26:10.773Z",
"dateReserved": "2022-07-15T00:45:56.517Z",
"dateUpdated": "2024-08-03T00:39:07.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2528
Vulnerability from cvelistv5
Published
2022-09-09 07:50
Modified
2024-08-03 00:39
Severity
Summary
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-13/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-13/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2022.1.3106",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7718",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.7782",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T07:50:08",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-13/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2528",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.3106"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.7718"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.7782"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-13/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-13/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2528",
"datePublished": "2022-09-09T07:50:08",
"dateReserved": "2022-07-25T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2828
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2024-08-03 00:52
Severity
Summary
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-19/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.3135",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7897",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-19/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2828",
"datePublished": "2022-10-13T00:00:00",
"dateReserved": "2022-08-16T00:00:00",
"dateUpdated": "2024-08-03T00:52:59.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2975
Vulnerability from cvelistv5
Published
2024-04-09 01:02
Modified
2024-08-01 19:32
Severity
Summary
A race condition was identified through which privilege escalation was possible in certain configurations.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:0.9:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2023.4.8432",
"status": "affected",
"version": "0.9",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2024.1.12087",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.2075",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T17:03:49.379549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1223",
"description": "CWE-1223 Race Condition for Write-Once Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-19T22:04:50.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.8432",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2024.1.12087",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.2075",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A race condition was identified through which privilege escalation was possible in certain configurations."
}
],
"value": "A race condition was identified through which privilege escalation was possible in certain configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Race condition could lead to privilege escalation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T01:02:46.880Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-01/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-2975",
"datePublished": "2024-04-09T01:02:46.880Z",
"dateReserved": "2024-03-27T05:50:03.804Z",
"dateUpdated": "2024-08-01T19:32:42.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2247
Vulnerability from cvelistv5
Published
2023-05-02 00:00
Modified
2024-08-02 06:19
Severity
Summary
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-07/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.3.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.10929",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2022.4.791",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function\u003c/p\u003e"
}
],
"value": "In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Variable preview can unmask secrets",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T07:10:25.398Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-07/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-2247",
"datePublished": "2023-05-02T00:00:00",
"dateReserved": "2023-04-24T00:00:00",
"dateUpdated": "2024-08-02T06:19:14.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29890
Vulnerability from cvelistv5
Published
2022-07-15 07:40
Modified
2024-08-03 06:33
Severity
Summary
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-07/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:43.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-07/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.7.0",
"versionType": "custom"
},
{
"lessThan": "2021.3.13021",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6971",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.2387",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-15T07:40:16",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-07/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-29890",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2019.7.0"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.13021"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.2121"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6971"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.2387"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-07/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-07/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-29890",
"datePublished": "2022-07-15T07:40:16",
"dateReserved": "2022-06-06T00:00:00",
"dateUpdated": "2024-08-03T06:33:43.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2259
Vulnerability from cvelistv5
Published
2023-03-13 00:00
Modified
2024-08-03 00:32
Severity
Summary
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.11098",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8463",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2023.1.4189",
"versionType": "custom"
},
{
"lessThan": "2023.1.9672",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Able to view workerpools without assigned permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-04/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2259",
"datePublished": "2023-03-13T00:00:00",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2721
Vulnerability from cvelistv5
Published
2022-11-25 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-24/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7965",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.9163",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insertion of sensitive information into log file",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-25T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-24/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2721",
"datePublished": "2022-11-25T00:00:00",
"dateReserved": "2022-08-09T00:00:00",
"dateUpdated": "2024-08-03T00:46:03.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1901
Vulnerability from cvelistv5
Published
2022-08-19 07:55
Modified
2024-08-03 00:17
Severity
Summary
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-09/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:17:00.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-09/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.7.3",
"versionType": "custom"
},
{
"lessThan": "2022.1.3009",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7244",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Variable Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T07:55:08",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-09/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1901",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2019.7.3"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.3009"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.7244"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sensitive Variable Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-09/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-09/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1901",
"datePublished": "2022-08-19T07:55:08",
"dateReserved": "2022-05-27T00:00:00",
"dateUpdated": "2024-08-03T00:17:00.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2720
Vulnerability from cvelistv5
Published
2022-10-12 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-18/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.16.4",
"versionType": "custom"
},
{
"lessThan": "2022.1.3134",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7934",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-18/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2720",
"datePublished": "2022-10-12T00:00:00",
"dateReserved": "2022-08-09T00:00:00",
"dateUpdated": "2024-08-03T00:46:03.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4898
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2024-08-03 01:55
Severity
Summary
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:45.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2023-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.7.0",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2023-01/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4898",
"datePublished": "2023-01-31T00:00:00",
"dateReserved": "2023-01-30T00:00:00",
"dateUpdated": "2024-08-03T01:55:45.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1502
Vulnerability from cvelistv5
Published
2022-05-04 06:15
Modified
2024-08-03 00:03
Severity
Summary
Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-03/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"status": "affected",
"version": "\u003c"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken access control in API for projects using Git VCS in Octopus Server",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-04T06:15:11",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-03/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1502",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "2022.1.2454",
"version_value": "\u003c"
},
{
"version_affected": "2021.3.12725",
"version_value": "\u003c"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken access control in API for projects using Git VCS in Octopus Server"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-03/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-03/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1502",
"datePublished": "2022-05-04T06:15:11",
"dateReserved": "2022-04-27T00:00:00",
"dateUpdated": "2024-08-03T00:03:06.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1656
Vulnerability from cvelistv5
Published
2024-09-11 04:05
Modified
2024-09-11 18:13
Severity
Summary
Affected versions of Octopus Server had a weak content security policy.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:12:55.014065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:13:07.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2018.1.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-09-11T01:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected versions of Octopus Server had a weak content security policy."
}
],
"value": "Affected versions of Octopus Server had a weak content security policy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Content Security Policy Configuration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T04:05:31.487Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-08/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-1656",
"datePublished": "2024-09-11T04:05:31.487Z",
"dateReserved": "2024-02-20T06:02:20.284Z",
"dateUpdated": "2024-09-11T18:13:07.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2075
Vulnerability from cvelistv5
Published
2022-08-19 09:10
Modified
2024-08-03 00:24
Severity
Summary
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-12/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.145Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-12/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6872",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regex Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T09:10:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-12/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6872"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regex Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-12/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-12/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2075",
"datePublished": "2022-08-19T09:10:09",
"dateReserved": "2022-06-14T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31817
Vulnerability from cvelistv5
Published
2021-07-08 10:43
Modified
2024-08-03 23:10
Severity
Summary
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31817%29.2121138201.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2020.6.4671",
"versionType": "custom"
},
{
"lessThan": "2020.6.5146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7316",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext Storage of Sensitive Information (Linux Container)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T10:43:40",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31817%29.2121138201.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31817",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2020.6.4671"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5146"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7316"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext Storage of Sensitive Information (Linux Container)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31817).2121138201.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31817).2121138201.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31817",
"datePublished": "2021-07-08T10:43:40",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1881
Vulnerability from cvelistv5
Published
2022-07-15 07:40
Modified
2024-08-03 00:17
Severity
Summary
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-06/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:17:00.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-06/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.1",
"versionType": "custom"
},
{
"lessThan": "2021.3.13021",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6971",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.2616",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object Reference (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-15T07:40:10",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-06/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2021.1.1"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.13021"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.2121"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6971"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.2616"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-06/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-06/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1881",
"datePublished": "2022-07-15T07:40:10",
"dateReserved": "2022-05-25T00:00:00",
"dateUpdated": "2024-08-03T00:17:00.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-7998
Vulnerability from cvelistv5
Published
2024-08-21 05:30
Modified
2024-08-21 13:26
Severity
Summary
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:26:30.899592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T13:26:42.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.1.12931",
"status": "affected",
"version": "2022.4.8332",
"versionType": "custom"
},
{
"lessThan": "2024.1.12931",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.9313",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan."
}
],
"value": "In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect OIDC cookie expiration time",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T05:30:35.851Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-07/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-7998",
"datePublished": "2024-08-21T05:30:35.851Z",
"dateReserved": "2024-08-19T23:06:26.081Z",
"dateUpdated": "2024-08-21T13:26:42.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2258
Vulnerability from cvelistv5
Published
2023-03-13 00:00
Modified
2024-08-03 00:32
Severity
Summary
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.11098",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8463",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2023.1.4189",
"versionType": "custom"
},
{
"lessThan": "2023.1.9672",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Able to view tagsets without assigned permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-03/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2258",
"datePublished": "2023-03-13T00:00:00",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23184
Vulnerability from cvelistv5
Published
2022-02-07 02:35
Modified
2024-08-03 03:36
Severity
Summary
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-02/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-02/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2021.2.8011",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2021.3.11057",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect Vulnerability in Octopus Server",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-07T02:35:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-02/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-23184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2021.2.8011"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.11057"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect Vulnerability in Octopus Server"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-02/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-02/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-23184",
"datePublished": "2022-02-07T02:35:09",
"dateReserved": "2022-01-12T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2883
Vulnerability from cvelistv5
Published
2023-02-22 00:00
Modified
2024-08-03 00:52
Severity
Summary
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-02/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.3.11043",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8401",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Zipbomb resource exhaustion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-02/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2883",
"datePublished": "2023-02-22T00:00:00",
"dateReserved": "2022-08-17T00:00:00",
"dateUpdated": "2024-08-03T00:52:59.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2760
Vulnerability from cvelistv5
Published
2022-09-28 00:00
Modified
2024-08-03 00:46
Severity
Summary
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
References
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-14/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.5.7",
"versionType": "custom"
},
{
"lessThan": "2022.1.3180",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7965",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-14/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2760",
"datePublished": "2022-09-28T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2049
Vulnerability from cvelistv5
Published
2022-08-19 08:45
Modified
2024-08-03 00:24
Severity
Summary
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
References
| URL | Tags |
|---|---|
| https://advisories.octopus.com/post/2022/sa2022-10/ | x_refsource_MISC |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-10/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6872",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regex Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T08:45:14",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-10/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2049",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6872"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regex Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-10/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-10/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2049",
"datePublished": "2022-08-19T08:45:14",
"dateReserved": "2022-06-10T00:00:00",
"dateUpdated": "2024-08-03T00:24:43.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}