Filtered by vendor Octopus
Subscriptions
Filtered by product Octopus Server
Subscriptions
Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2975 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 8.8 High |
| A race condition was identified through which privilege escalation was possible in certain configurations. | ||||
| CVE-2023-4509 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 4.3 Medium |
| It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt. | ||||
| CVE-2023-1904 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 4.2 Medium |
| In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. | ||||
| CVE-2022-30532 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-11-21 | 5.3 Medium |
| In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy. | ||||
| CVE-2022-2783 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 5.3 Medium |
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | ||||
| CVE-2022-2781 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 5.3 Medium |
| In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | ||||
| CVE-2022-2528 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 6.5 Medium |
| In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. | ||||
| CVE-2022-2416 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 5.5 Medium |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | ||||
| CVE-2022-2346 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 5.5 Medium |
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | ||||
| CVE-2022-2075 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-11-21 | 7.5 High |
| In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. | ||||
| CVE-2022-2074 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-11-21 | 7.5 High |
| In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. | ||||
| CVE-2022-2049 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-11-21 | 7.5 High |
| In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. | ||||
| CVE-2022-29890 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 6.1 Medium |
| In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | ||||
| CVE-2022-23184 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-11-21 | 6.1 Medium |
| In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | ||||
| CVE-2022-1901 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-11-21 | 5.3 Medium |
| In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. | ||||
| CVE-2022-1881 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 5.3 Medium |
| In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space. | ||||
| CVE-2022-1670 | 1 Octopus | 1 Octopus Server | 2024-11-21 | 7.5 High |
| When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users. | ||||
| CVE-2021-31820 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-11-21 | 7.5 High |
| In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. | ||||
| CVE-2021-26556 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-11-21 | 7.8 High |
| When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | ||||
| CVE-2020-16197 | 1 Octopus | 2 Octopus Server, Server | 2024-11-21 | 4.3 Medium |
| An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation. | ||||