cve-2022-1670
Vulnerability from cvelistv5
Published
2022-05-19 04:25
Modified
2024-08-03 00:10
Severity
Summary
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
References
| Source | URL | Tags |
|---|---|---|
| security@octopus.com | https://advisories.octopus.com/post/2022/sa2022-04/ | Vendor Advisory |
Impacted products
| Vendor | Product |
|---|---|
| Octopus Deploy | Octopus Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2021.3.12533",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.1.53",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User invitation limit in Octopus Server can be exceeded",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T04:25:09",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@octopus.com",
"ID": "CVE-2022-1670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Octopus Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "0.9"
},
{
"version_affected": "\u003c",
"version_value": "2021.3.12533"
},
{
"version_affected": "\u003e=",
"version_value": "2022.1.0"
},
{
"version_affected": "\u003c",
"version_value": "2022.1.53"
}
]
}
}
]
},
"vendor_name": "Octopus Deploy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User invitation limit in Octopus Server can be exceeded"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.octopus.com/post/2022/sa2022-04/",
"refsource": "MISC",
"url": "https://advisories.octopus.com/post/2022/sa2022-04/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-1670",
"datePublished": "2022-05-19T04:25:09",
"dateReserved": "2022-05-11T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-1670\",\"sourceIdentifier\":\"security@octopus.com\",\"published\":\"2022-05-19T05:15:07.010\",\"lastModified\":\"2022-07-27T18:21:05.710\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.\"},{\"lang\":\"es\",\"value\":\"Cuando es generado un c\u00f3digo de invitaci\u00f3n de usuario en Octopus Server, la comprobaci\u00f3n de este c\u00f3digo puede establecerse para un n\u00famero espec\u00edfico de usuarios. Era posible omitir esta restricci\u00f3n de comprobaci\u00f3n para crear cuentas de usuario adicionales por encima del n\u00famero inicial de usuarios invitados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.9\",\"versionEndExcluding\":\"2021.3.12533\",\"matchCriteriaId\":\"A1F82F5F-A24D-4611-83F4-BFE131FDD51E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2022.1.0\",\"versionEndExcluding\":\"2022.1.53\",\"matchCriteriaId\":\"BE23BD46-4EC3-46C7-B890-0C44BA0F2DEB\"}]}]}],\"references\":[{\"url\":\"https://advisories.octopus.com/post/2022/sa2022-04/\",\"source\":\"security@octopus.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading...