Vulnerabilites related to Octopus Deploy - Octopus Server
cve-2022-1901
Vulnerability from cvelistv5
Published
2022-08-19 07:55
Modified
2024-08-03 00:17
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-09/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.7.3 < unspecified Version: unspecified < 2022.1.3009 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7244 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.4953 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:17:00.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-09/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.7.3",
"versionType": "custom"
},
{
"lessThan": "2022.1.3009",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7244",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Variable Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T07:55:08",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-09/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1901",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2019.7.3"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.3009"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.7244"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sensitive Variable Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-09/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-09/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1901",
"datePublished": "2022-08-19T07:55:08",
"dateReserved": "2022-05-27T00:00:00",
"dateUpdated": "2024-08-03T00:17:00.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2780
Vulnerability from cvelistv5
Published
2022-10-14 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2021.2.994 < unspecified Version: unspecified < 2022.1.3180 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7965 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-20/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.2.994",
"versionType": "custom"
},
{
"lessThan": "2022.1.3180",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7965",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass by Capture-Replay",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-20/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2780",
"datePublished": "2022-10-14T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-6972
Vulnerability from cvelistv5
Published
2024-07-25 05:16
Modified
2024-11-26 15:37
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2024.1 < 2024.1.12759 Version: 2024.2 < 2024.2.9193 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:56:25.168310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T15:37:28.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-06/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.1.12759",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text."
}
],
"value": "In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Variables exposed in TaskLogs",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T05:16:49.256Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-06/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-6972",
"datePublished": "2024-07-25T05:16:49.256Z",
"dateReserved": "2024-07-22T02:03:32.352Z",
"dateUpdated": "2024-11-26T15:37:28.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31816
Vulnerability from cvelistv5
Published
2021-07-08 10:43
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2020.6.5146 Version: 2021.1.7149 < unspecified Version: unspecified < 2021.1.7316 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31816%29.2121793537.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2020.6.5146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7316",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext Storage of Sensitive Information (Windows)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T10:43:39",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31816%29.2121793537.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31816",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5146"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7316"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext Storage of Sensitive Information (Windows)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31816).2121793537.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-05---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31816).2121793537.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31816",
"datePublished": "2021-07-08T10:43:39",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2782
Vulnerability from cvelistv5
Published
2022-10-26 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2022.2.8351 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.2898 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-21/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.2.8351",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.2898",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Session Expiration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-21/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2782",
"datePublished": "2022-10-26T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-26556
Vulnerability from cvelistv5
Published
2021-10-07 01:00
Modified
2024-08-03 20:26
Severity ?
EPSS score ?
Summary
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2020.4.229 Version: 2020.5.0 < unspecified Version: unspecified < 2020.5.256 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:26:25.523Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-%28CVE-2021-26556%29.1733296189.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2020.4.229",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2020.5.0",
"versionType": "custom"
},
{
"lessThan": "2020.5.256",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local privilege escalation in Octopus Server (Windows)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-07T01:00:12",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-%28CVE-2021-26556%29.1733296189.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-26556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2020.4.229"
},
{
"version_affected": "\u003e=",
"version_value": "2020.5.0"
},
{
"version_affected": "\u003c",
"version_value": "2020.5.256"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local privilege escalation in Octopus Server (Windows)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-(CVE-2021-26556).1733296189.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-01---Local-privilege-escalation-in-Octopus-Server-(CVE-2021-26556).1733296189.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-26556",
"datePublished": "2021-10-07T01:00:12",
"dateReserved": "2021-02-02T00:00:00",
"dateUpdated": "2024-08-03T20:26:25.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2721
Vulnerability from cvelistv5
Published
2022-11-25 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7965 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.9163 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.679Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-24/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7965",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.9163",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insertion of sensitive information into log file",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-25T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-24/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2721",
"datePublished": "2022-11-25T00:00:00",
"dateReserved": "2022-08-09T00:00:00",
"dateUpdated": "2024-08-03T00:46:03.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3460
Vulnerability from cvelistv5
Published
2023-01-02 00:00
Modified
2024-08-03 01:07
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.3.1 < unspecified Version: unspecified < 2021.3.13150 Version: 2022.1.2121 < unspecified Version: unspecified < 2022.1.3281 Version: 2022.2.7897 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8221 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-25/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.3.1",
"versionType": "custom"
},
{
"lessThan": "2021.3.13150",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.3281",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.7897",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8221",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposure of Sensitive Information Through Environmental Variables",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-02T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-25/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-3460",
"datePublished": "2023-01-02T00:00:00",
"dateReserved": "2022-10-11T00:00:00",
"dateUpdated": "2024-08-03T01:07:06.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4870
Vulnerability from cvelistv5
Published
2023-05-18 00:00
Modified
2025-01-21 20:38
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to discover network details via error message
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0 < unspecified Version: unspecified < 2023.1.9879 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:45.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-09/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T20:34:54.967887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T20:38:12.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.9879",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to discover network details via error message"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Network discovery via error message detail",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-09/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4870",
"datePublished": "2023-05-18T00:00:00",
"dateReserved": "2023-01-03T00:00:00",
"dateUpdated": "2025-01-21T20:38:12.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2013
Vulnerability from cvelistv5
Published
2022-06-12 23:50
Modified
2024-08-03 00:24
Severity ?
EPSS score ?
Summary
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-05/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.1.1495 < unspecified Version: unspecified < 2022.1.2647 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-05/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.1495",
"versionType": "custom"
},
{
"lessThan": "2022.1.2647",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-12T23:50:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-05/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2013",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2022.1.1495"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2647"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-05/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-05/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2013",
"datePublished": "2022-06-12T23:50:09",
"dateReserved": "2022-06-07T00:00:00",
"dateUpdated": "2024-08-03T00:24:43.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2760
Vulnerability from cvelistv5
Published
2022-09-28 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.5.7 < unspecified Version: unspecified < 2022.1.3180 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7965 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-14/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.5.7",
"versionType": "custom"
},
{
"lessThan": "2022.1.3180",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7965",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-14/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2760",
"datePublished": "2022-09-28T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4898
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2024-08-03 01:55
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.7.0 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8319 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:45.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2023-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.7.0",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2023-01/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4898",
"datePublished": "2023-01-31T00:00:00",
"dateReserved": "2023-01-30T00:00:00",
"dateUpdated": "2024-08-03T01:55:45.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2528
Vulnerability from cvelistv5
Published
2022-09-09 07:50
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-13/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0 < unspecified Version: unspecified < 2022.1.3106 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7718 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.7782 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-13/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2022.1.3106",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7718",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.7782",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T07:50:08",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-13/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2528",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.3106"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.7718"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.7782"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-13/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-13/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2528",
"datePublished": "2022-09-09T07:50:08",
"dateReserved": "2022-07-25T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2783
Vulnerability from cvelistv5
Published
2022-10-06 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.12.0 < unspecified Version: unspecified < 2022.1.3154 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7897 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-17/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.12.0",
"versionType": "custom"
},
{
"lessThan": "2022.1.3154",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7897",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-11T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-17/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2783",
"datePublished": "2022-10-06T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3614
Vulnerability from cvelistv5
Published
2023-01-03 00:00
Modified
2024-08-03 01:14
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.5.1 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8063 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-26/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.5.1",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8063",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-26/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-3614",
"datePublished": "2023-01-03T00:00:00",
"dateReserved": "2022-10-19T00:00:00",
"dateUpdated": "2024-08-03T01:14:02.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1502
Vulnerability from cvelistv5
Published
2022-05-04 06:15
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-03/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:06.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"status": "affected",
"version": "\u003c"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken access control in API for projects using Git VCS in Octopus Server",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-04T06:15:11",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-03/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1502",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "2022.1.2454",
"version_value": "\u003c"
},
{
"version_affected": "2021.3.12725",
"version_value": "\u003c"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken access control in API for projects using Git VCS in Octopus Server"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-03/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-03/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1502",
"datePublished": "2022-05-04T06:15:11",
"dateReserved": "2022-04-27T00:00:00",
"dateUpdated": "2024-08-03T00:03:06.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-0588
Vulnerability from cvelistv5
Published
2025-02-11 11:22
Modified
2025-02-12 15:16
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2020.1.0 < 2024.3.13097 Version: 2024.4.401 < 2024.4.7091 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:32:53.027472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:16:33.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://advisories.octopus.com/post/2024/sa2025-05/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://advisories.octopus.com/post/2025/sa2025-05/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13097",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
},
{
"lessThan": "2024.4.7091",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated."
}
],
"value": "In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service with Backdoor access",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T11:22:27.034Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-05/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0588",
"datePublished": "2025-02-11T11:22:27.034Z",
"dateReserved": "2025-01-20T05:46:19.249Z",
"dateUpdated": "2025-02-12T15:16:33.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2507
Vulnerability from cvelistv5
Published
2023-04-19 00:00
Modified
2025-02-05 15:50
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10957 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8332 Version: unspecified < 2023.1.6715 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-06/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T15:48:49.152129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T15:50:48.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10957",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8332",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.1.6715",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Weak Content Security Policy Header",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-19T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-06/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2507",
"datePublished": "2023-04-19T00:00:00.000Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2025-02-05T15:50:48.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-1904
Vulnerability from cvelistv5
Published
2023-12-14 07:23
Modified
2024-09-18 07:09
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.2.7897 < unspecified Version: unspecified < 2023.1.11942 Version: unspecified < 2023.2.13151 Version: unspecified < 2023.3.5049 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-12/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.7897",
"versionType": "custom"
},
{
"lessThan": "2023.1.11942",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.2.13151",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.3.5049",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.\u003c/p\u003e"
}
],
"value": "In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OpenID client secret logged in plain text during configuration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T07:09:21.166Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-12/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-1904",
"datePublished": "2023-12-14T07:23:08.589Z",
"dateReserved": "2023-04-06T06:30:38.789Z",
"dateUpdated": "2024-09-18T07:09:21.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2781
Vulnerability from cvelistv5
Published
2022-10-06 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.2.10 < unspecified Version: unspecified < 2022.1.3154 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7897 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-16/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.2.10",
"versionType": "custom"
},
{
"lessThan": "2022.1.3154",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7897",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Encryption",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-11T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-16/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2781",
"datePublished": "2022-10-06T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2049
Vulnerability from cvelistv5
Published
2022-08-19 08:45
Modified
2024-08-03 00:24
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-10/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2022.1.2894 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.6872 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.4953 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:43.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-10/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6872",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regex Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T08:45:14",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-10/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2049",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6872"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regex Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-10/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-10/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2049",
"datePublished": "2022-08-19T08:45:14",
"dateReserved": "2022-06-10T00:00:00",
"dateUpdated": "2024-08-03T00:24:43.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2416
Vulnerability from cvelistv5
Published
2023-08-02 05:26
Modified
2024-10-11 14:08
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.4.0 < 2022.4.9997 Version: 2023.1.0 < 2023.1.10235 Version: 2023.2.0 < 2023.2.10545 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.800Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-11/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T13:02:58.972130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:08:57.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.4.9997",
"status": "affected",
"version": "2019.4.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.10235",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2023.2.10545",
"status": "affected",
"version": "2023.2.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment."
}
],
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Blind SSRF vulnerability that allows enumeration/recon of an environment",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T05:26:10.773Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-11/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2416",
"datePublished": "2023-08-02T05:26:10.773Z",
"dateReserved": "2022-07-15T00:45:56.517Z",
"dateUpdated": "2024-10-11T14:08:57.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2074
Vulnerability from cvelistv5
Published
2022-08-19 09:00
Modified
2024-08-03 00:24
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-11/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2022.1.2894 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.6872 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.4953 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-11/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6872",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regex Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T09:00:20",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-11/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2074",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6872"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regex Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-11/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-11/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2074",
"datePublished": "2022-08-19T09:00:20",
"dateReserved": "2022-06-14T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4509
Vulnerability from cvelistv5
Published
2024-04-17 23:10
Modified
2024-11-07 16:55
Severity ?
EPSS score ?
Summary
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.9 < 2023.4.296 Version: 2024.1 < 2024.1.437 Version: 2024.2 < 2024.2.101 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2024.2.101",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T19:18:35.698764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T16:55:13.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-02/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.296",
"status": "affected",
"version": "2018.9",
"versionType": "custom"
},
{
"lessThan": "2024.1.437",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.101",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt."
}
],
"value": "It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "API key disclosed in Octopus Server audit log",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T07:12:55.561Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-02/"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-4509",
"datePublished": "2024-04-17T23:10:37.111Z",
"dateReserved": "2023-08-24T03:00:03.168Z",
"dateUpdated": "2024-11-07T16:55:13.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23184
Vulnerability from cvelistv5
Published
2022-02-07 02:35
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-02/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: unspecified < 2021.2.8011 Version: unspecified < 2021.3.11057 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-02/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2021.2.8011",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2021.3.11057",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect Vulnerability in Octopus Server",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-07T02:35:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-02/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-23184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2021.2.8011"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.11057"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Open Redirect Vulnerability in Octopus Server"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-02/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-02/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-23184",
"datePublished": "2022-02-07T02:35:09",
"dateReserved": "2022-01-12T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4456
Vulnerability from cvelistv5
Published
2024-05-08 00:46
Modified
2025-01-16 06:45
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0 < 2023.3.13361 Version: 2023.4.296 < 2023.4.8338 Version: 2024.1.437 < 2024.1.11127 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T15:05:42.820687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:45:59.630Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.3.13361",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2023.4.8338",
"status": "affected",
"version": "2023.4.296",
"versionType": "custom"
},
{
"lessThan": "2024.1.11127",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page."
}
],
"value": "In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS in Audit Page",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T06:45:47.638Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-04/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4456",
"datePublished": "2024-05-08T00:46:31.887Z",
"dateReserved": "2024-05-03T06:20:51.354Z",
"dateUpdated": "2025-01-16T06:45:47.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-0525
Vulnerability from cvelistv5
Published
2025-02-11 09:53
Modified
2025-02-11 14:32
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2020.6.4592 < 2024.3.13007 Version: 2024.4.401 < 2024.4.6995 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:29:03.230997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T14:32:33.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13007",
"status": "affected",
"version": "2020.6.4592",
"versionType": "custom"
},
{
"lessThan": "2024.4.6995",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server."
}
],
"value": "In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "File Existence Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T09:57:57.720Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-02/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0525",
"datePublished": "2025-02-11T09:53:25.849Z",
"dateReserved": "2025-01-17T02:42:42.838Z",
"dateUpdated": "2025-02-11T14:32:33.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-0589
Vulnerability from cvelistv5
Published
2025-02-11 08:59
Modified
2025-02-11 15:20
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2020.3.3 < 2024.3.13071 Version: 2024.4.401 < 2024.4.7065 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:06:16.630094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-648",
"description": "CWE-648 Incorrect Use of Privileged APIs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:20:52.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13071",
"status": "affected",
"version": "2020.3.3",
"versionType": "custom"
},
{
"lessThan": "2024.4.7065",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-01-23T11:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself."
}
],
"value": "In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Active Directory data can be read using API endpoints without Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T11:15:28.234Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2025/sa2025-01/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0589",
"datePublished": "2025-02-11T08:59:51.030Z",
"dateReserved": "2025-01-20T05:49:45.502Z",
"dateUpdated": "2025-02-11T15:20:52.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2075
Vulnerability from cvelistv5
Published
2022-08-19 09:10
Modified
2024-08-03 00:24
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-12/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2022.1.2894 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.6872 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.4953 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.145Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-12/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6872",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.4953",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Regex Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T09:10:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-12/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-2075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6872"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.4953"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Regex Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-12/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-12/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2075",
"datePublished": "2022-08-19T09:10:09",
"dateReserved": "2022-06-14T00:00:00",
"dateUpdated": "2024-08-03T00:24:44.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-4009
Vulnerability from cvelistv5
Published
2023-03-16 00:00
Modified
2024-08-03 01:27
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0.19 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8319 Version: unspecified < 2023.1.4189 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-05/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.19",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.1.4189",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command injection via offline package creation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-16T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-05/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4009",
"datePublished": "2023-03-16T00:00:00",
"dateReserved": "2022-11-16T00:00:00",
"dateUpdated": "2024-08-03T01:27:54.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1881
Vulnerability from cvelistv5
Published
2022-07-15 07:40
Modified
2024-08-03 00:17
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-06/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2021.1.1 < unspecified Version: unspecified < 2021.3.13021 Version: 2022.1.2121 < unspecified Version: unspecified < 2022.1.2894 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.6971 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.2616 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:17:00.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-06/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.1",
"versionType": "custom"
},
{
"lessThan": "2021.3.13021",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6971",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.2616",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Direct Object Reference (IDOR)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-15T07:40:10",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-06/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2021.1.1"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.13021"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.2121"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6971"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.2616"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Direct Object Reference (IDOR)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-06/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-06/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1881",
"datePublished": "2022-07-15T07:40:10",
"dateReserved": "2022-05-25T00:00:00",
"dateUpdated": "2024-08-03T00:17:00.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2572
Vulnerability from cvelistv5
Published
2022-11-01 00:00
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.5 < unspecified Version: unspecified < 2022.1.3264 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.8277 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.2898 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-23/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.5",
"versionType": "custom"
},
{
"lessThan": "2022.1.3264",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.8277",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.2898",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-01T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-23/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2572",
"datePublished": "2022-11-01T00:00:00",
"dateReserved": "2022-07-29T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2778
Vulnerability from cvelistv5
Published
2022-09-30 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0 < unspecified Version: unspecified < 2022.2.8277 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.1371 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-15/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2022.2.8277",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.1371",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Rate Limit Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-06T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-15/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2778",
"datePublished": "2022-09-30T00:00:00",
"dateReserved": "2022-08-11T00:00:00",
"dateUpdated": "2024-08-03T00:46:04.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4226
Vulnerability from cvelistv5
Published
2024-04-30 01:53
Modified
2024-12-04 17:19
Severity ?
EPSS score ?
Summary
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.2.5205 < 2022.2.7934 Version: 2022.3.348 < 2022.3.9163 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T18:03:49.095055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T17:19:41.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/SA2024-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.2.7934",
"status": "affected",
"version": "2022.2.5205",
"versionType": "custom"
},
{
"lessThan": "2022.3.9163",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed."
}
],
"value": "It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Users with no permissions can see all users",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-30T01:53:34.277Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/SA2024-03/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4226",
"datePublished": "2024-04-30T01:53:34.277Z",
"dateReserved": "2024-04-26T03:52:25.114Z",
"dateUpdated": "2024-12-04T17:19:41.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-30532
Vulnerability from cvelistv5
Published
2022-07-19 06:50
Modified
2024-08-03 06:48
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-08/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2021.3.13021 Version: 2022.1.2121 < unspecified Version: unspecified < 2022.1.2849 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.2387 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:48:36.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-08/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2021.3.13021",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.2849",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.2387",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Logging",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-19T06:50:10",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-08/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-30532",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.13021"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.2121"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2849"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.2387"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Logging"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-08/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-08/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-30532",
"datePublished": "2022-07-19T06:50:10",
"dateReserved": "2022-06-06T00:00:00",
"dateUpdated": "2024-08-03T06:48:36.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2828
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2024-08-03 00:52
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.1.2121 < unspecified Version: unspecified < 2022.1.3135 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7897 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-19/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.3135",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7897",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-19/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2828",
"datePublished": "2022-10-13T00:00:00",
"dateReserved": "2022-08-16T00:00:00",
"dateUpdated": "2024-08-03T00:52:59.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2346
Vulnerability from cvelistv5
Published
2023-08-02 01:09
Modified
2024-10-11 14:08
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.4.0 < 2022.4.9997 Version: 2023.1.0 < 2023.1.10235 Version: 2023.2.0 < 2023.2.10545 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-10/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T13:03:04.190086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:08:43.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.4.9997",
"status": "affected",
"version": "2019.4.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.10235",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2023.2.10545",
"status": "affected",
"version": "2023.2.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints."
}
],
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Guest user with low permissions able to interact with extension endpoints",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T02:02:12.977Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-10/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2346",
"datePublished": "2023-08-02T01:09:01.761Z",
"dateReserved": "2022-07-08T05:52:42.083Z",
"dateUpdated": "2024-10-11T14:08:43.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-1656
Vulnerability from cvelistv5
Published
2024-09-11 04:05
Modified
2024-12-06 18:50
Severity ?
EPSS score ?
Summary
Affected versions of Octopus Server had a weak content security policy.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.1.0 < 2024.2.9193 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:12:55.014065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T18:50:10.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2018.1.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-09-11T01:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected versions of Octopus Server had a weak content security policy."
}
],
"value": "Affected versions of Octopus Server had a weak content security policy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Content Security Policy Configuration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T04:05:31.487Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-08/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-1656",
"datePublished": "2024-09-11T04:05:31.487Z",
"dateReserved": "2024-02-20T06:02:20.284Z",
"dateUpdated": "2024-12-06T18:50:10.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31818
Vulnerability from cvelistv5
Published
2021-06-17 13:22
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.9.17 < unspecified Version: unspecified < 2020.6.5146 Version: 2021.1.7149 < unspecified Version: unspecified < 2021.1.7316 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-%28CVE-2021-31818%29.2013233248.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.9.17",
"versionType": "custom"
},
{
"lessThan": "2020.6.5146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7316",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn\u2019t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-17T13:22:17",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-%28CVE-2021-31818%29.2013233248.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31818",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2018.9.17"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5146"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7316"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn\u2019t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-(CVE-2021-31818).2013233248.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-04---SQL-Injection-in-the-Events-REST-API-(CVE-2021-31818).2013233248.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31818",
"datePublished": "2021-06-17T13:22:17",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-7998
Vulnerability from cvelistv5
Published
2024-08-21 05:30
Modified
2024-12-03 18:48
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.4.8332 < 2024.1.12931 Version: 2024.1.437 < 2024.1.12931 Version: 2024.2.101 < 2024.2.9313 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:26:30.899592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:48:03.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.1.12931",
"status": "affected",
"version": "2022.4.8332",
"versionType": "custom"
},
{
"lessThan": "2024.1.12931",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.9313",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan."
}
],
"value": "In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect OIDC cookie expiration time",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T05:30:35.851Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-07/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-7998",
"datePublished": "2024-08-21T05:30:35.851Z",
"dateReserved": "2024-08-19T23:06:26.081Z",
"dateUpdated": "2024-12-03T18:48:03.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29890
Vulnerability from cvelistv5
Published
2022-07-15 07:40
Modified
2024-08-03 06:33
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-07/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.7.0 < unspecified Version: unspecified < 2021.3.13021 Version: 2022.1.2121 < unspecified Version: unspecified < 2022.1.2894 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.6971 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.2387 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:43.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-07/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.7.0",
"versionType": "custom"
},
{
"lessThan": "2021.3.13021",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.2894",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.6971",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.2387",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-15T07:40:16",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-07/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-29890",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2019.7.0"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.13021"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.2121"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.2894"
},
{
"version_affected": "\u003e=",
"version_value": "2022.2.6729"
},
{
"version_affected": "\u003c",
"version_value": "2022.2.6971"
},
{
"version_affected": "\u003e=",
"version_value": "2022.3.348"
},
{
"version_affected": "\u003c",
"version_value": "2022.3.2387"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-07/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-07/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-29890",
"datePublished": "2022-07-15T07:40:16",
"dateReserved": "2022-06-06T00:00:00",
"dateUpdated": "2024-08-03T06:33:43.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-0513
Vulnerability from cvelistv5
Published
2025-02-11 10:27
Modified
2025-02-11 14:41
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2024.3.164 < 2024.3.12985 Version: 2024.4.401 < 2024.4.6962 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0513",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:40:30.520706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T14:41:18.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.12985",
"status": "affected",
"version": "2024.3.164",
"versionType": "custom"
},
{
"lessThan": "2024.4.6962",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message."
}
],
"value": "In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS in Octopus Deploy error page",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T10:27:26.482Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-04/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0513",
"datePublished": "2025-02-11T10:27:26.482Z",
"dateReserved": "2025-01-16T06:52:12.103Z",
"dateUpdated": "2025-02-11T14:41:18.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2258
Vulnerability from cvelistv5
Published
2023-03-13 00:00
Modified
2024-08-03 00:32
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.1.0 < unspecified Version: unspecified < 2022.3.11098 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8463 Version: 2023.1.4189 < unspecified Version: unspecified < 2023.1.9672 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.11098",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8463",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2023.1.4189",
"versionType": "custom"
},
{
"lessThan": "2023.1.9672",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Able to view tagsets without assigned permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-03/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2258",
"datePublished": "2023-03-13T00:00:00",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31817
Vulnerability from cvelistv5
Published
2021-07-08 10:43
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2020.6.4671 < unspecified Version: unspecified < 2020.6.5146 Version: 2021.1.7149 < unspecified Version: unspecified < 2021.1.7316 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:30.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31817%29.2121138201.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2020.6.4671",
"versionType": "custom"
},
{
"lessThan": "2020.6.5146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7316",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cleartext Storage of Sensitive Information (Linux Container)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-08T10:43:40",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-%28CVE-2021-31817%29.2121138201.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31817",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2020.6.4671"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5146"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7316"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext Storage of Sensitive Information (Linux Container)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31817).2121138201.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31817).2121138201.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31817",
"datePublished": "2021-07-08T10:43:40",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:30.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2720
Vulnerability from cvelistv5
Published
2022-10-12 00:00
Modified
2024-08-03 00:46
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.16.4 < unspecified Version: unspecified < 2022.1.3134 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.7934 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-18/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.16.4",
"versionType": "custom"
},
{
"lessThan": "2022.1.3134",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.7934",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-18/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2720",
"datePublished": "2022-10-12T00:00:00",
"dateReserved": "2022-08-09T00:00:00",
"dateUpdated": "2024-08-03T00:46:03.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2883
Vulnerability from cvelistv5
Published
2023-02-22 00:00
Modified
2024-08-03 00:52
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2022.3.11043 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8401 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-02/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.3.11043",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8401",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Zipbomb resource exhaustion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-02/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2883",
"datePublished": "2023-02-22T00:00:00",
"dateReserved": "2022-08-17T00:00:00",
"dateUpdated": "2024-08-03T00:52:59.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2975
Vulnerability from cvelistv5
Published
2024-04-09 01:02
Modified
2024-09-19 04:48
Severity ?
EPSS score ?
Summary
A race condition was identified through which privilege escalation was possible in certain configurations.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < 2023.4.8432 Version: 2024.1.437 < 2024.1.12087 Version: 2024.2.101 < 2024.2.2075 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:0.9:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2023.4.8432",
"status": "affected",
"version": "0.9",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2024.1.12087",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.2075",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T17:03:49.379549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1223",
"description": "CWE-1223 Race Condition for Write-Once Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-19T22:04:50.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.8432",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2024.1.12087",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.2075",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A race condition was identified through which privilege escalation was possible in certain configurations."
}
],
"value": "A race condition was identified through which privilege escalation was possible in certain configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Race condition could lead to privilege escalation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T04:48:32.065Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-01/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-2975",
"datePublished": "2024-04-09T01:02:46.880Z",
"dateReserved": "2024-03-27T05:50:03.804Z",
"dateUpdated": "2024-09-19T04:48:32.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-0526
Vulnerability from cvelistv5
Published
2025-02-11 10:09
Modified
2025-02-11 14:27
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.4.791 < 2024.3.13097 Version: 2024.4.401 < 2024.4.7091 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:25:59.593142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T14:27:51.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13097",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2024.4.7091",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows."
}
],
"value": "In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "File Upload Path Traversal",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T10:20:54.415Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-03/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0526",
"datePublished": "2025-02-11T10:09:56.067Z",
"dateReserved": "2025-01-17T03:24:52.395Z",
"dateUpdated": "2025-02-11T14:27:51.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1670
Vulnerability from cvelistv5
Published
2022-05-19 04:25
Modified
2024-08-03 00:10
Severity ?
EPSS score ?
Summary
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
References
| ▼ | URL | Tags |
|---|---|---|
| https://advisories.octopus.com/post/2022/sa2022-04/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2021.3.12533 Version: 2022.1.0 < unspecified Version: unspecified < 2022.1.53 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2021.3.12533",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.1.53",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User invitation limit in Octopus Server can be exceeded",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T04:25:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.12533"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.53"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User invitation limit in Octopus Server can be exceeded"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-04/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1670",
"datePublished": "2022-05-19T04:25:09",
"dateReserved": "2022-05-11T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2247
Vulnerability from cvelistv5
Published
2023-05-02 00:00
Modified
2024-12-03 15:16
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.3.0 < unspecified Version: unspecified < 2022.3.10929 Version: unspecified < 2022.4.791 Version: unspecified < 2022.4.8319 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-07/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T15:16:07.719828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T15:16:16.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.3.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.10929",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2022.4.791",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function\u003c/p\u003e"
}
],
"value": "In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Variable preview can unmask secrets",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T07:10:25.398Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-07/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-2247",
"datePublished": "2023-05-02T00:00:00",
"dateReserved": "2023-04-24T00:00:00",
"dateUpdated": "2024-12-03T15:16:16.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2259
Vulnerability from cvelistv5
Published
2023-03-13 00:00
Modified
2024-08-03 00:32
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.1.0 < unspecified Version: unspecified < 2022.3.11098 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8463 Version: 2023.1.4189 < unspecified Version: unspecified < 2023.1.9672 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.11098",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8463",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2023.1.4189",
"versionType": "custom"
},
{
"lessThan": "2023.1.9672",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Able to view workerpools without assigned permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-04/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2259",
"datePublished": "2023-03-13T00:00:00",
"dateReserved": "2022-06-30T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-31820
Vulnerability from cvelistv5
Published
2021-08-18 10:43
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.8.2 < unspecified Version: unspecified < 2020.6.5310 Version: 2021.1.7149 < unspecified Version: unspecified < 2021.1.7622 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:10:29.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-%28CVE-2021-31820%29.2193063986.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.8.2",
"versionType": "custom"
},
{
"lessThan": "2020.6.5310",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2021.1.7149",
"versionType": "custom"
},
{
"lessThan": "2021.1.7622",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Proxy Password Stored in Plaintext",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-18T10:43:57",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-%28CVE-2021-31820%29.2193063986.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2021-31820",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2018.8.2"
},
{
"version_affected": "\u003c",
"version_value": "2020.6.5310"
},
{
"version_affected": "\u003e=",
"version_value": "2021.1.7149"
},
{
"version_affected": "\u003c",
"version_value": "2021.1.7622"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Proxy Password Stored in Plaintext"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-(CVE-2021-31820).2193063986.html",
"refsource": "MISC",
"url": "https://advisories.octopus.com/adv/2021-07---Proxy-Password-Stored-in-Plaintext-(CVE-2021-31820).2193063986.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2021-31820",
"datePublished": "2021-08-18T10:43:57",
"dateReserved": "2021-04-26T00:00:00",
"dateUpdated": "2024-08-03T23:10:29.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-2508
Vulnerability from cvelistv5
Published
2022-10-27 00:00
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2022.1.3264 Version: 2022.2.6729 < unspecified Version: unspecified < 2022.2.8351 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10586 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.2898 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-22/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.1.3264",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.6729",
"versionType": "custom"
},
{
"lessThan": "2022.2.8351",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10586",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.2898",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-27T00:00:00",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-22/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2508",
"datePublished": "2022-10-27T00:00:00",
"dateReserved": "2022-07-22T00:00:00",
"dateUpdated": "2024-08-03T00:39:08.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-4811
Vulnerability from cvelistv5
Published
2024-07-25 04:46
Modified
2025-01-16 06:43
Severity ?
EPSS score ?
Summary
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2023.1 < 2023.4.8608 Version: 2024.1 < 2024.1.12759 Version: 2024.2 < 2024.2.9193 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T13:17:06.536166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T13:12:02.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:09.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-05/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.8608",
"status": "affected",
"version": "2023.1",
"versionType": "custom"
},
{
"lessThan": "2024.1.12759",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts."
}
],
"value": "In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Access to failed project imports in restricted spaces",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T06:43:12.488Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-05/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4811",
"datePublished": "2024-07-25T04:46:43.523Z",
"dateReserved": "2024-05-13T02:06:31.944Z",
"dateUpdated": "2025-01-16T06:43:12.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}