Latest octopus octopus server Vulnerabilities

CVE-2023-1904
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
Octopus Octopus Server>=2022.1.2121<2023.1.11942
Octopus Octopus Server>=2023.2.2028<2023.2.13151
Octopus Octopus Server>=2023.3.317<2023.3.5049
CVE-2022-2416
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
Octopus Octopus Server>=2019.4.0<2022.4.9997
Octopus Octopus Server>=2023.1.4189<2023.1.10235
Octopus Octopus Server>=2023.2.2028<2023.2.10545
CVE-2022-2346
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
Octopus Octopus Server>=2019.4.0<2022.4.9997
Octopus Octopus Server>=2023.1.4189<2023.1.10235
Octopus Octopus Server>=2023.2.2028<2023.2.10545
CVE-2022-4870
In affected versions of Octopus Deploy it is possible to discover network details via error message
Octopus Octopus Server>=3.0.0<2023.1.9879
Octopus Octopus Server>=2023.2.2028<2023.2.8159
CVE-2022-4008
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
Octopus Octopus Server>=0.9<2022.3.11043
Octopus Octopus Server>=2022.4.791<2022.4.8401
CVE-2022-2507
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
Octopus Octopus Server<2023.1.9794
Octopus Octopus Server>=2022.4.0<2022.4.8332
Octopus Octopus Server>=2023.1.0<2023.1.6715
CVE-2022-4009
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
Octopus Octopus Server>=3.0.19<2022.2.8552
Octopus Octopus Server>=2022.3.348<2022.3.10750
Octopus Octopus Server>=2022.4.791<2022.4.8319
CVE-2022-2258
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
Octopus Octopus Server>=2019.1.0<2022.3.11098
Octopus Octopus Server>=2022.4.791<2022.4.8463
Octopus Octopus Server>=2023.1.4189<2023.1.9672
Octopus Octopus Server=2023.2.2028
CVE-2022-2259
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
Octopus Octopus Server>=2019.1.0<2022.3.11098
Octopus Octopus Server>=2022.4.791<2022.4.8463
Octopus Octopus Server>=2023.1.4189<2023.1.9672
Octopus Octopus Server=2023.2.2028
CVE-2022-2883
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
Octopus Octopus Server<2022.3.11043
Octopus Octopus Server>=2022.4.0<2022.4.8401
CVE-2022-3614
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url withou...
Octopus Octopus Server>=3.5<2022.3.10750
Octopus Octopus Server>=2022.4<2022.4.8063
CVE-2022-3460
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
Octopus Octopus Server>=2018.1.0<2022.3.10750
Octopus Octopus Server>=2022.4<2022.4.8063
CVE-2022-2721
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
Octopus Octopus Server>=2022.2.6729<2022.2.7965
Octopus Octopus Server>=2022.3.348<2022.3.9163
CVE-2022-2572
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the acces...
Octopus Octopus Server>=3.5<2022.1.3264
Octopus Octopus Server>=2022.2.6729<2022.2.8277
Octopus Octopus Server>=2022.3.348<2022.3.10586
Octopus Octopus Server>=2022.4.791<2022.4.2898
CVE-2022-2508
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
Octopus Octopus Server<2022.1.3264
Octopus Octopus Server>=2022.2.0<2022.2.8351
Octopus Octopus Server>=2022.3.0<2022.3.10586
Octopus Octopus Server>=2022.4.0<2022.4.2898
CVE-2022-2782
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
Octopus Octopus Server<2022.2.8351
Octopus Octopus Server>=2022.3.0<2022.3.10586
Octopus Octopus Server>=2022.4.0<2022.4.2898
CVE-2022-2780
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.
Octopus Octopus Server>=2021.2.994<2022.1.3180
Octopus Octopus Server>=2022.2.6729<2022.2.7965
Octopus Octopus Server>=2022.3.348<2022.3.10586
CVE-2022-2828
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
Octopus Octopus Server>=2022.1.2121<=2022.1.3135
Octopus Octopus Server>=2022.2.0<=2022.2.7897
Octopus Octopus Server>=2022.3.0<=2022.3.10586
CVE-2022-2720
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.
Octopus Octopus Server>=3.16.4<2022.1.3154
Octopus Octopus Server>=2022.2.6729<2022.2.7934
Octopus Octopus Server>=2022.3.348<2022.3.10586
CVE-2022-2781
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
Octopus Octopus Server>=3.2.10<2022.1.3154
Octopus Octopus Server>=2022.2.6729<2022.2.7897
Octopus Octopus Server>=2022.3.348<2022.3.10586
CVE-2022-2783
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
Octopus Octopus Server>=3.12.0<2022.1.3154
Octopus Octopus Server>=2022.2.6729<2022.2.7897
Octopus Octopus Server>=2022.3.348<2022.3.10586
CVE-2022-2778
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
Octopus Octopus Server>=3.0<2022.2.8277
Octopus Octopus Server>=2022.3.348<2022.3.10405
Octopus Octopus Server>=2022.4.791<2022.4.1371
Linux Linux kernel
Microsoft Windows
CVE-2022-2760
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
Octopus Octopus Server>=2019.5.7<2022.1.3180
Octopus Octopus Server>=2022.2.0<2022.2.7965
Octopus Octopus Server>=2022.3.0<2022.3.10405
CVE-2022-2528
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
Octopus Octopus Server>=3.0.0<=4.1.10
Octopus Octopus Server>=2018.1.0<=2021.3.13021
Octopus Octopus Server>=2022.1.0<2022.1.3106
Octopus Octopus Server>=2022.2.6729<2022.2.7718
Octopus Octopus Server>=2022.3.348<2022.3.7782
CVE-2022-2049
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
Octopus Octopus Server>=0.9<=0.9.620.4
Octopus Octopus Server>=1.0<=1.6.3.1723
Octopus Octopus Server>=2.0<=2.6.5
Octopus Octopus Server>=3.0.0<=3.17.14
Octopus Octopus Server>=4.0.4<=4.1.10
Octopus Octopus Server>=2018.1.0<=2018.12.1
and 8 more
CVE-2022-2074
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
Octopus Octopus Server>=0.9<=0.9.620.4
Octopus Octopus Server>=1.0<=1.6.3.1723
Octopus Octopus Server>=2.0<=2.6.5
Octopus Octopus Server>=3.0.0<=3.17.14
Octopus Octopus Server>=4.0.4<=4.1.10
Octopus Octopus Server>=2018.1.0<=2018.12.1
and 8 more
CVE-2022-1901
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
Octopus Octopus Server>=2019.1.0<=2019.7.3
Octopus Octopus Server>=2020.1.0<=2020.6.5449
Octopus Octopus Server>=2021.1.6959<=2021.3.13021
Octopus Octopus Server>=2022.1.0<2022.1.3009
Octopus Octopus Server>=2022.2.6729<2022.2.7244
Octopus Octopus Server>=2022.3.348<2022.3.4953
and 2 more
CVE-2022-30532
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
Octopus Octopus Server>=0.9<2021.3.13021
Octopus Octopus Server>=2022.1.0<2022.1.2849
Octopus Octopus Server>=2022.3.348<2022.3.2387
Linux Linux kernel
Microsoft Windows
CVE-2022-29890
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
Octopus Octopus Server>=2019.7.0<2021.3.13021
Octopus Octopus Server>=2022.1.2121<2022.1.2849
Octopus Octopus Server>=2022.3.348<2022.3.2387
Octopus Octopus Server=2022.2.6729
CVE-2022-1670
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra us...
Octopus Octopus Server>=0.9<2021.3.12533
Octopus Octopus Server>=2022.1.0<2022.1.53
CVE-2022-23184
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
Octopus Octopus Deploy>=0.9<=4.1.10
Octopus Octopus Deploy>=2018.1.0<=2020.1.1
Octopus Octopus Server>=2021.2.0<2021.2.8011
Octopus Octopus Server>=2021.3.0<2021.3.11057
CVE-2021-26556
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
Octopus Octopus Deploy>=0.9<2020.4.229
Octopus Octopus Server>=2020.5.0<2020.5.256
CVE-2021-31820
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
Octopus Octopus Server>2018.8.2<2020.6.5310
Octopus Octopus Server>=2021.1.0<2021.1.7622
Linux Linux kernel
Microsoft Windows
CVE-2019-15698
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10.
Octopus Octopus Server>=2019.7.3<=2019.7.9
CVE-2019-14525
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration pag...
Octopus Octopus Deploy>=2019.4.0<2019.6.6
Octopus Octopus Server>=2019.7.0<2019.7.6
CVE-2019-11632
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could vie...
Octopus Octopus Deploy>=2019.1.0<=2019.3.1
Octopus Octopus Server>=2019.4.0<=2019.4.5
CVE-2019-8944
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variabl...
Octopus Octopus Deploy<=2018.9.17
Octopus Octopus Deploy=2018.10.0
Octopus Octopus Deploy=2018.10.1
Octopus Octopus Deploy=2018.10.2
Octopus Octopus Deploy=2018.10.3
Octopus Octopus Server>=2018.11.0<2019.1.8
CVE-2018-18850
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially all...
Octopus Octopus Server>=2018.8.0<=2018.8.12
Octopus Octopus Server>=2018.9.0<2018.9.1
CVE-2018-12089
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Dire...
Octopus Octopus Server>=2018.5.1<=2018.5.7
CVE-2018-11320
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
Octopus Octopus Server>=2018.4.4<=2018.5.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203