CVE-2022-4009: Command Injection
First published: Thu Mar 16 2023(Updated: )
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
Credit: security@octopus.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Octopus Octopus Server | >=3.0.19<2022.2.8552 | |
| Octopus Octopus Server | >=2022.3.348<2022.3.10750 | |
| Octopus Octopus Server | >=2022.4.791<2022.4.8319 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability CVE-2022-4009?
Vulnerability CVE-2022-4009 is a security flaw in Octopus Deploy that allows a user to introduce code via offline package creation.
How does vulnerability CVE-2022-4009 impact Octopus Deploy?
Vulnerability CVE-2022-4009 can be exploited by an attacker to inject malicious code into Octopus Deploy through offline package creation.
Which versions of Octopus Deploy are affected by vulnerability CVE-2022-4009?
Versions between 3.0.19 and 2022.2.8552, 2022.3.348 and 2022.3.10750, and 2022.4.791 and 2022.4.8319 of Octopus Deploy are affected by vulnerability CVE-2022-4009.
What is the severity of vulnerability CVE-2022-4009?
Vulnerability CVE-2022-4009 has a severity rating of 8.8 (high).
How can I fix vulnerability CVE-2022-4009 in Octopus Deploy?
To fix vulnerability CVE-2022-4009, it is recommended to update Octopus Deploy to a version that is not affected by the vulnerability.
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/octopus
- canonical/octopus octopus server
- version/octopus octopus server/3.0.19
- version/octopus octopus server/2022.3.348
- version/octopus octopus server/2022.4.791