Refine your search
58 vulnerabilities found for Octopus Server by Octopus Deploy
CVE-2026-3237 (GCVE-0-2026-3237)
Vulnerability from cvelistv5
Published
2026-03-17 06:37
Modified
2026-03-17 13:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Low-Privilege User Can Modify Global Signing Key Settings
Summary
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2023.0.0 < 2025.3.14731 Version: 2025.4.0 < 2025.4.10359 Version: 2026.1.0 < 2026.1.5571 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:20:19.497726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:20:24.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2025.3.14731",
"status": "affected",
"version": "2023.0.0",
"versionType": "custom"
},
{
"lessThan": "2025.4.10359",
"status": "affected",
"version": "2025.4.0",
"versionType": "custom"
},
{
"lessThan": "2026.1.5571",
"status": "affected",
"version": "2026.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by raihanadiarba"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."
}
],
"value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Low-Privilege User Can Modify Global Signing Key Settings",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T06:37:59.369Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2026/sa2026-03"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2026-3237",
"datePublished": "2026-03-17T06:37:59.369Z",
"dateReserved": "2026-02-26T00:26:01.068Z",
"dateUpdated": "2026-03-17T13:20:24.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3236 (GCVE-0-2026-3236)
Vulnerability from cvelistv5
Published
2026-03-05 10:37
Modified
2026-03-05 14:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2023.0.0 < 2025.3.14761 Version: 2025.4.0 < 2025.4.10409 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T14:16:57.713650Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T14:17:07.392Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2025.3.14761",
"status": "affected",
"version": "2023.0.0",
"versionType": "custom"
},
{
"lessThan": "2025.4.10409",
"status": "affected",
"version": "2025.4.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by nguyennb"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."
}
],
"value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T10:37:03.736Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2026/sa2026-02"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2026-3236",
"datePublished": "2026-03-05T10:37:03.736Z",
"dateReserved": "2026-02-26T00:25:55.210Z",
"dateUpdated": "2026-03-05T14:17:07.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0704 (GCVE-0-2026-0704)
Vulnerability from cvelistv5
Published
2026-02-25 12:22
Modified
2026-02-27 14:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- File Modification/Deletion Path Traversal
Summary
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2023.0.0 < 2025.3.14715 Version: 2025.4.0 < 2025.4.10359 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T15:40:09.659181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T14:48:18.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2025.3.14715",
"status": "affected",
"version": "2023.0.0",
"versionType": "custom"
},
{
"lessThan": "2025.4.10359",
"status": "affected",
"version": "2025.4.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by oub3ll4"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows."
}
],
"value": "In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "File Modification/Deletion Path Traversal",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T12:22:18.328Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2026/sa2026-01"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2026-0704",
"datePublished": "2026-02-25T12:22:18.328Z",
"dateReserved": "2026-01-08T01:25:18.708Z",
"dateUpdated": "2026-02-27T14:48:18.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0539 (GCVE-0-2025-0539)
Vulnerability from cvelistv5
Published
2025-04-10 05:20
Modified
2025-04-15 20:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Server Side Request Forgery
Summary
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2.6.0 < 2024.3.13071 Version: 2024.4.401 < 2024.4.7065 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0539",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:23:51.763333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:25:25.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13071",
"status": "affected",
"version": "2.6.0",
"versionType": "custom"
},
{
"lessThan": "2024.4.7065",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself."
}
],
"value": "In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server Side Request Forgery",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T05:25:15.667Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2025/sa2025-06"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0539",
"datePublished": "2025-04-10T05:20:38.264Z",
"dateReserved": "2025-01-17T06:55:32.593Z",
"dateUpdated": "2025-04-15T20:25:25.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0588 (GCVE-0-2025-0588)
Vulnerability from cvelistv5
Published
2025-02-11 11:22
Modified
2025-03-13 15:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Denial of Service with Backdoor access
Summary
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2020.1.0 < 2024.3.13097 Version: 2024.4.401 < 2024.4.7091 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:32:53.027472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T15:30:38.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"broken-link"
],
"url": "https://advisories.octopus.com/post/2024/sa2025-05/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://advisories.octopus.com/post/2025/sa2025-05/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13097",
"status": "affected",
"version": "2020.1.0",
"versionType": "custom"
},
{
"lessThan": "2024.4.7091",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated."
}
],
"value": "In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service with Backdoor access",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T11:22:27.034Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-05/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0588",
"datePublished": "2025-02-11T11:22:27.034Z",
"dateReserved": "2025-01-20T05:46:19.249Z",
"dateUpdated": "2025-03-13T15:30:38.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0513 (GCVE-0-2025-0513)
Vulnerability from cvelistv5
Published
2025-02-11 10:27
Modified
2025-02-11 14:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- XSS in Octopus Deploy error page
Summary
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2024.3.164 < 2024.3.12985 Version: 2024.4.401 < 2024.4.6962 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0513",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:40:30.520706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T14:41:18.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.12985",
"status": "affected",
"version": "2024.3.164",
"versionType": "custom"
},
{
"lessThan": "2024.4.6962",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message."
}
],
"value": "In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS in Octopus Deploy error page",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T10:27:26.482Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-04/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0513",
"datePublished": "2025-02-11T10:27:26.482Z",
"dateReserved": "2025-01-16T06:52:12.103Z",
"dateUpdated": "2025-02-11T14:41:18.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0526 (GCVE-0-2025-0526)
Vulnerability from cvelistv5
Published
2025-02-11 10:09
Modified
2025-03-18 17:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- File Upload Path Traversal
Summary
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.4.791 < 2024.3.13097 Version: 2024.4.401 < 2024.4.7091 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:25:59.593142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T17:50:08.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-25T18:34:12.724Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2025/sa2025-03/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13097",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2024.4.7091",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows."
}
],
"value": "In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "File Upload Path Traversal",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T10:20:54.415Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-03/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0526",
"datePublished": "2025-02-11T10:09:56.067Z",
"dateReserved": "2025-01-17T03:24:52.395Z",
"dateUpdated": "2025-03-18T17:50:08.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0525 (GCVE-0-2025-0525)
Vulnerability from cvelistv5
Published
2025-02-11 09:53
Modified
2025-03-24 16:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- File Existence Disclosure
Summary
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2020.6.4592 < 2024.3.13007 Version: 2024.4.401 < 2024.4.6995 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:29:03.230997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T16:29:52.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13007",
"status": "affected",
"version": "2020.6.4592",
"versionType": "custom"
},
{
"lessThan": "2024.4.6995",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was found by Edward Prior (@JankhJankh)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server."
}
],
"value": "In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "File Existence Disclosure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T09:57:57.720Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2025-02/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0525",
"datePublished": "2025-02-11T09:53:25.849Z",
"dateReserved": "2025-01-17T02:42:42.838Z",
"dateUpdated": "2025-03-24T16:29:52.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0589 (GCVE-0-2025-0589)
Vulnerability from cvelistv5
Published
2025-02-11 08:59
Modified
2025-02-11 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Active Directory data can be read using API endpoints without Authentication
Summary
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2020.3.3 < 2024.3.13071 Version: 2024.4.401 < 2024.4.7065 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T15:06:16.630094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-648",
"description": "CWE-648 Incorrect Use of Privileged APIs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T15:20:52.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.3.13071",
"status": "affected",
"version": "2020.3.3",
"versionType": "custom"
},
{
"lessThan": "2024.4.7065",
"status": "affected",
"version": "2024.4.401",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-01-23T11:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself."
}
],
"value": "In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Active Directory data can be read using API endpoints without Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T11:15:28.234Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2025/sa2025-01/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2025-0589",
"datePublished": "2025-02-11T08:59:51.030Z",
"dateReserved": "2025-01-20T05:49:45.502Z",
"dateUpdated": "2025-02-11T15:20:52.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1656 (GCVE-0-2024-1656)
Vulnerability from cvelistv5
Published
2024-09-11 04:05
Modified
2024-12-06 18:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Insufficient Content Security Policy Configuration
Summary
Affected versions of Octopus Server had a weak content security policy.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.1.0 < 2024.2.9193 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:12:55.014065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T18:50:10.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2018.1.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-09-11T01:48:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected versions of Octopus Server had a weak content security policy."
}
],
"value": "Affected versions of Octopus Server had a weak content security policy."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Content Security Policy Configuration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T04:05:31.487Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-08/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-1656",
"datePublished": "2024-09-11T04:05:31.487Z",
"dateReserved": "2024-02-20T06:02:20.284Z",
"dateUpdated": "2024-12-06T18:50:10.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7998 (GCVE-0-2024-7998)
Vulnerability from cvelistv5
Published
2024-08-21 05:30
Modified
2024-12-03 18:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Incorrect OIDC cookie expiration time
Summary
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.4.8332 < 2024.1.12931 Version: 2024.1.437 < 2024.1.12931 Version: 2024.2.101 < 2024.2.9313 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T13:26:30.899592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:48:03.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.1.12931",
"status": "affected",
"version": "2022.4.8332",
"versionType": "custom"
},
{
"lessThan": "2024.1.12931",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.9313",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan."
}
],
"value": "In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect OIDC cookie expiration time",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T05:30:35.851Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-07/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-7998",
"datePublished": "2024-08-21T05:30:35.851Z",
"dateReserved": "2024-08-19T23:06:26.081Z",
"dateUpdated": "2024-12-03T18:48:03.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6972 (GCVE-0-2024-6972)
Vulnerability from cvelistv5
Published
2024-07-25 05:16
Modified
2024-11-26 15:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Sensitive Variables exposed in TaskLogs
Summary
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2024.1 < 2024.1.12759 Version: 2024.2 < 2024.2.9193 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6972",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:56:25.168310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T15:37:28.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-06/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2024.1.12759",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text."
}
],
"value": "In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitive Variables exposed in TaskLogs",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T05:16:49.256Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-06/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-6972",
"datePublished": "2024-07-25T05:16:49.256Z",
"dateReserved": "2024-07-22T02:03:32.352Z",
"dateUpdated": "2024-11-26T15:37:28.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4811 (GCVE-0-2024-4811)
Vulnerability from cvelistv5
Published
2024-07-25 04:46
Modified
2025-01-16 06:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Access to failed project imports in restricted spaces
Summary
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2023.1 < 2023.4.8608 Version: 2024.1 < 2024.1.12759 Version: 2024.2 < 2024.2.9193 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T13:17:06.536166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T13:12:02.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:09.902Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-05/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.8608",
"status": "affected",
"version": "2023.1",
"versionType": "custom"
},
{
"lessThan": "2024.1.12759",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.9193",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts."
}
],
"value": "In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Access to failed project imports in restricted spaces",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T06:43:12.488Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-05/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4811",
"datePublished": "2024-07-25T04:46:43.523Z",
"dateReserved": "2024-05-13T02:06:31.944Z",
"dateUpdated": "2025-01-16T06:43:12.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4456 (GCVE-0-2024-4456)
Vulnerability from cvelistv5
Published
2024-05-08 00:46
Modified
2025-01-16 06:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Stored XSS in Audit Page
Summary
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0 < 2023.3.13361 Version: 2023.4.296 < 2023.4.8338 Version: 2024.1.437 < 2024.1.11127 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T15:05:42.820687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T17:45:59.630Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-04/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.3.13361",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2023.4.8338",
"status": "affected",
"version": "2023.4.296",
"versionType": "custom"
},
{
"lessThan": "2024.1.11127",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page."
}
],
"value": "In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS in Audit Page",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T06:45:47.638Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-04/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4456",
"datePublished": "2024-05-08T00:46:31.887Z",
"dateReserved": "2024-05-03T06:20:51.354Z",
"dateUpdated": "2025-01-16T06:45:47.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4226 (GCVE-0-2024-4226)
Vulnerability from cvelistv5
Published
2024-04-30 01:53
Modified
2024-12-04 17:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Users with no permissions can see all users
Summary
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.2.5205 < 2022.2.7934 Version: 2022.3.348 < 2022.3.9163 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T18:03:49.095055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T17:19:41.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.915Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/SA2024-03/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.2.7934",
"status": "affected",
"version": "2022.2.5205",
"versionType": "custom"
},
{
"lessThan": "2022.3.9163",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed."
}
],
"value": "It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Users with no permissions can see all users",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-30T01:53:34.277Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/SA2024-03/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-4226",
"datePublished": "2024-04-30T01:53:34.277Z",
"dateReserved": "2024-04-26T03:52:25.114Z",
"dateUpdated": "2024-12-04T17:19:41.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4509 (GCVE-0-2023-4509)
Vulnerability from cvelistv5
Published
2024-04-17 23:10
Modified
2024-11-07 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- API key disclosed in Octopus Server audit log
Summary
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.9 < 2023.4.296 Version: 2024.1 < 2024.1.437 Version: 2024.2 < 2024.2.101 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2024.2.101",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T19:18:35.698764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T16:55:13.840Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-02/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.296",
"status": "affected",
"version": "2018.9",
"versionType": "custom"
},
{
"lessThan": "2024.1.437",
"status": "affected",
"version": "2024.1",
"versionType": "custom"
},
{
"lessThan": "2024.2.101",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt."
}
],
"value": "It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "API key disclosed in Octopus Server audit log",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T07:12:55.561Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-02/"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-4509",
"datePublished": "2024-04-17T23:10:37.111Z",
"dateReserved": "2023-08-24T03:00:03.168Z",
"dateUpdated": "2024-11-07T16:55:13.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2975 (GCVE-0-2024-2975)
Vulnerability from cvelistv5
Published
2024-04-09 01:02
Modified
2024-09-19 04:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Race condition could lead to privilege escalation
Summary
A race condition was identified through which privilege escalation was possible in certain configurations.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < 2023.4.8432 Version: 2024.1.437 < 2024.1.12087 Version: 2024.2.101 < 2024.2.2075 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:0.9:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2023.4.8432",
"status": "affected",
"version": "0.9",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:octopus:octopus_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "octopus_server",
"vendor": "octopus",
"versions": [
{
"lessThan": "2024.1.12087",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.2075",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T17:03:49.379549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1223",
"description": "CWE-1223 Race Condition for Write-Once Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-19T22:04:50.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2024/sa2024-01/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2023.4.8432",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2024.1.12087",
"status": "affected",
"version": "2024.1.437",
"versionType": "custom"
},
{
"lessThan": "2024.2.2075",
"status": "affected",
"version": "2024.2.101",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A race condition was identified through which privilege escalation was possible in certain configurations."
}
],
"value": "A race condition was identified through which privilege escalation was possible in certain configurations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Race condition could lead to privilege escalation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T04:48:32.065Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2024/sa2024-01/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2024-2975",
"datePublished": "2024-04-09T01:02:46.880Z",
"dateReserved": "2024-03-27T05:50:03.804Z",
"dateUpdated": "2024-09-19T04:48:32.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1904 (GCVE-0-2023-1904)
Vulnerability from cvelistv5
Published
2023-12-14 07:23
Modified
2024-09-18 07:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- OpenID client secret logged in plain text during configuration
Summary
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2022.2.7897 < unspecified Version: unspecified < 2023.1.11942 Version: unspecified < 2023.2.13151 Version: unspecified < 2023.3.5049 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-12/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.7897",
"versionType": "custom"
},
{
"lessThan": "2023.1.11942",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.2.13151",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.3.5049",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.\u003c/p\u003e"
}
],
"value": "In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "OpenID client secret logged in plain text during configuration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T07:09:21.166Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-12/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-1904",
"datePublished": "2023-12-14T07:23:08.589Z",
"dateReserved": "2023-04-06T06:30:38.789Z",
"dateUpdated": "2024-09-18T07:09:21.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2416 (GCVE-0-2022-2416)
Vulnerability from cvelistv5
Published
2023-08-02 05:26
Modified
2024-10-11 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Blind SSRF vulnerability that allows enumeration/recon of an environment
Summary
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.4.0 < 2022.4.9997 Version: 2023.1.0 < 2023.1.10235 Version: 2023.2.0 < 2023.2.10545 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.800Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-11/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T13:02:58.972130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:08:57.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.4.9997",
"status": "affected",
"version": "2019.4.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.10235",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2023.2.10545",
"status": "affected",
"version": "2023.2.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment."
}
],
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Blind SSRF vulnerability that allows enumeration/recon of an environment",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T05:26:10.773Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-11/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2416",
"datePublished": "2023-08-02T05:26:10.773Z",
"dateReserved": "2022-07-15T00:45:56.517Z",
"dateUpdated": "2024-10-11T14:08:57.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2346 (GCVE-0-2022-2346)
Vulnerability from cvelistv5
Published
2023-08-02 01:09
Modified
2024-10-11 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Guest user with low permissions able to interact with extension endpoints
Summary
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.4.0 < 2022.4.9997 Version: 2023.1.0 < 2023.1.10235 Version: 2023.2.0 < 2023.2.10545 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-10/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2346",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T13:03:04.190086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:08:43.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"Linux"
],
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "2022.4.9997",
"status": "affected",
"version": "2019.4.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.10235",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2023.2.10545",
"status": "affected",
"version": "2023.2.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints."
}
],
"value": "In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Guest user with low permissions able to interact with extension endpoints",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T02:02:12.977Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-10/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2346",
"datePublished": "2023-08-02T01:09:01.761Z",
"dateReserved": "2022-07-08T05:52:42.083Z",
"dateUpdated": "2024-10-11T14:08:43.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4870 (GCVE-0-2022-4870)
Vulnerability from cvelistv5
Published
2023-05-18 00:00
Modified
2025-01-21 20:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Network discovery via error message detail
Summary
In affected versions of Octopus Deploy it is possible to discover network details via error message
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0 < unspecified Version: unspecified < 2023.1.9879 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:45.795Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-09/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T20:34:54.967887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T20:38:12.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2023.1.9879",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to discover network details via error message"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Network discovery via error message detail",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-18T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-09/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4870",
"datePublished": "2023-05-18T00:00:00.000Z",
"dateReserved": "2023-01-03T00:00:00.000Z",
"dateUpdated": "2025-01-21T20:38:12.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2247 (GCVE-0-2023-2247)
Vulnerability from cvelistv5
Published
2023-05-02 00:00
Modified
2024-12-03 15:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Variable preview can unmask secrets
Summary
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.3.0 < unspecified Version: unspecified < 2022.3.10929 Version: unspecified < 2022.4.791 Version: unspecified < 2022.4.8319 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-07/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T15:16:07.719828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T15:16:16.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.3.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.10929",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2022.4.791",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function\u003c/p\u003e"
}
],
"value": "In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Variable preview can unmask secrets",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T07:10:25.398Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-07/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2023-2247",
"datePublished": "2023-05-02T00:00:00.000Z",
"dateReserved": "2023-04-24T00:00:00.000Z",
"dateUpdated": "2024-12-03T15:16:16.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2507 (GCVE-0-2022-2507)
Vulnerability from cvelistv5
Published
2023-04-19 00:00
Modified
2025-02-05 15:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Weak Content Security Policy Header
Summary
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10957 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8332 Version: unspecified < 2023.1.6715 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-06/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T15:48:49.152129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T15:50:48.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10957",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8332",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.1.6715",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Weak Content Security Policy Header",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-19T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-06/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2507",
"datePublished": "2023-04-19T00:00:00.000Z",
"dateReserved": "2022-07-22T00:00:00.000Z",
"dateUpdated": "2025-02-05T15:50:48.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4009 (GCVE-0-2022-4009)
Vulnerability from cvelistv5
Published
2023-03-16 00:00
Modified
2025-02-26 20:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Command injection via offline package creation
Summary
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.0.19 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8319 Version: unspecified < 2023.1.4189 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:54.167Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T19:43:37.567862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-26T20:17:44.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.0.19",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "2023.1.4189",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Command injection via offline package creation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-16T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-05/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4009",
"datePublished": "2023-03-16T00:00:00.000Z",
"dateReserved": "2022-11-16T00:00:00.000Z",
"dateUpdated": "2025-02-26T20:17:44.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2258 (GCVE-0-2022-2258)
Vulnerability from cvelistv5
Published
2023-03-13 00:00
Modified
2025-02-27 21:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Able to view tagsets without assigned permissions
Summary
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.1.0 < unspecified Version: unspecified < 2022.3.11098 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8463 Version: 2023.1.4189 < unspecified Version: unspecified < 2023.1.9672 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-03/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T21:14:06.766838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T21:17:59.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.11098",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8463",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2023.1.4189",
"versionType": "custom"
},
{
"lessThan": "2023.1.9672",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Able to view tagsets without assigned permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-03/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2258",
"datePublished": "2023-03-13T00:00:00.000Z",
"dateReserved": "2022-06-30T00:00:00.000Z",
"dateUpdated": "2025-02-27T21:17:59.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2259 (GCVE-0-2022-2259)
Vulnerability from cvelistv5
Published
2023-03-13 00:00
Modified
2025-03-03 20:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Able to view workerpools without assigned permissions
Summary
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.1.0 < unspecified Version: unspecified < 2022.3.11098 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8463 Version: 2023.1.4189 < unspecified Version: unspecified < 2023.1.9672 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-04/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T20:27:37.285309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T20:30:29.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.1.0",
"versionType": "custom"
},
{
"lessThan": "2022.3.11098",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8463",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2023.1.4189",
"versionType": "custom"
},
{
"lessThan": "2023.1.9672",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Able to view workerpools without assigned permissions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-04/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2259",
"datePublished": "2023-03-13T00:00:00.000Z",
"dateReserved": "2022-06-30T00:00:00.000Z",
"dateUpdated": "2025-03-03T20:30:29.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2883 (GCVE-0-2022-2883)
Vulnerability from cvelistv5
Published
2023-02-22 00:00
Modified
2025-03-11 19:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Zipbomb resource exhaustion
Summary
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 0.9 < unspecified Version: unspecified < 2022.3.11043 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8401 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2023/sa2023-02/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-2883",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T19:13:32.142557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T19:16:07.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "0.9",
"versionType": "custom"
},
{
"lessThan": "2022.3.11043",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8401",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Zipbomb resource exhaustion",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-22T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2023/sa2023-02/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-2883",
"datePublished": "2023-02-22T00:00:00.000Z",
"dateReserved": "2022-08-17T00:00:00.000Z",
"dateUpdated": "2025-03-11T19:16:07.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4898 (GCVE-0-2022-4898)
Vulnerability from cvelistv5
Published
2023-01-31 00:00
Modified
2025-03-27 14:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Stored Cross-Site Scripting (XSS)
Summary
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2019.7.0 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8319 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:45.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2023-01/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:39:31.790877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:39:44.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2019.7.0",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8319",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored Cross-Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2023-01/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-4898",
"datePublished": "2023-01-31T00:00:00.000Z",
"dateReserved": "2023-01-30T00:00:00.000Z",
"dateUpdated": "2025-03-27T14:39:44.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3614 (GCVE-0-2022-3614)
Vulnerability from cvelistv5
Published
2023-01-03 00:00
Modified
2025-04-10 14:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Authentication Bypass Using an Alternate Path or Channel
Summary
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 3.5.1 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8063 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-26/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T14:45:47.580046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T14:45:59.345Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "3.5.1",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8063",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-26/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-3614",
"datePublished": "2023-01-03T00:00:00.000Z",
"dateReserved": "2022-10-19T00:00:00.000Z",
"dateUpdated": "2025-04-10T14:45:59.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3460 (GCVE-0-2022-3460)
Vulnerability from cvelistv5
Published
2023-01-02 00:00
Modified
2025-04-10 15:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Exposure of Sensitive Information Through Environmental Variables
Summary
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Octopus Deploy | Octopus Server |
Version: 2018.3.1 < unspecified Version: unspecified < 2021.3.13150 Version: 2022.1.2121 < unspecified Version: unspecified < 2022.1.3281 Version: 2022.2.7897 < unspecified Version: unspecified < 2022.2.8552 Version: 2022.3.348 < unspecified Version: unspecified < 2022.3.10750 Version: 2022.4.791 < unspecified Version: unspecified < 2022.4.8221 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://advisories.octopus.com/post/2022/sa2022-25/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T15:25:30.352379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:25:44.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Octopus Server",
"vendor": "Octopus Deploy",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2018.3.1",
"versionType": "custom"
},
{
"lessThan": "2021.3.13150",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.1.2121",
"versionType": "custom"
},
{
"lessThan": "2022.1.3281",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.2.7897",
"versionType": "custom"
},
{
"lessThan": "2022.2.8552",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.3.348",
"versionType": "custom"
},
{
"lessThan": "2022.3.10750",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "2022.4.791",
"versionType": "custom"
},
{
"lessThan": "2022.4.8221",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposure of Sensitive Information Through Environmental Variables",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-02T00:00:00.000Z",
"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"shortName": "Octopus"
},
"references": [
{
"url": "https://advisories.octopus.com/post/2022/sa2022-25/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
"assignerShortName": "Octopus",
"cveId": "CVE-2022-3460",
"datePublished": "2023-01-02T00:00:00.000Z",
"dateReserved": "2022-10-11T00:00:00.000Z",
"dateUpdated": "2025-04-10T15:25:44.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}