Filtered by vendor Octopus Subscriptions
Filtered by product Octopus Server Subscriptions
Total 47 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-2572 1 Octopus 1 Octopus Server 2024-11-21 9.8 Critical
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
CVE-2022-2528 1 Octopus 1 Octopus Server 2024-11-21 6.5 Medium
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
CVE-2022-2508 1 Octopus 1 Octopus Server 2024-11-21 5.3 Medium
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
CVE-2022-2507 1 Octopus 1 Octopus Server 2024-11-21 5.3 Medium
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
CVE-2022-2416 1 Octopus 1 Octopus Server 2024-11-21 5.5 Medium
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
CVE-2022-2346 1 Octopus 1 Octopus Server 2024-11-21 5.5 Medium
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
CVE-2022-2259 1 Octopus 1 Octopus Server 2024-11-21 4.3 Medium
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
CVE-2022-2258 1 Octopus 1 Octopus Server 2024-11-21 4.3 Medium
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
CVE-2022-2075 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVE-2022-2074 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVE-2022-2049 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVE-2022-29890 1 Octopus 1 Octopus Server 2024-11-21 6.1 Medium
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
CVE-2022-23184 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 6.1 Medium
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
CVE-2022-1901 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 5.3 Medium
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
CVE-2022-1881 1 Octopus 1 Octopus Server 2024-11-21 5.3 Medium
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
CVE-2022-1670 1 Octopus 1 Octopus Server 2024-11-21 7.5 High
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
CVE-2021-31820 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
CVE-2021-26556 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 7.8 High
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
CVE-2020-16197 1 Octopus 2 Octopus Server, Server 2024-11-21 4.3 Medium
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation.
CVE-2019-8944 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 N/A
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.