Filtered by vendor Octopus Subscriptions
Filtered by product Octopus Server Subscriptions
Total 60 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-2416 1 Octopus 1 Octopus Server 2024-11-21 5.5 Medium
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
CVE-2022-2346 1 Octopus 1 Octopus Server 2024-11-21 5.5 Medium
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
CVE-2022-2075 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVE-2022-2074 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVE-2022-2049 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVE-2022-29890 1 Octopus 1 Octopus Server 2024-11-21 6.1 Medium
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
CVE-2022-23184 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 6.1 Medium
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
CVE-2022-1901 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 5.3 Medium
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
CVE-2022-1881 1 Octopus 1 Octopus Server 2024-11-21 5.3 Medium
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
CVE-2022-1670 1 Octopus 1 Octopus Server 2024-11-21 7.5 High
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
CVE-2021-31820 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2024-11-21 7.5 High
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
CVE-2021-26556 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 7.8 High
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
CVE-2020-16197 1 Octopus 2 Octopus Server, Server 2024-11-21 4.3 Medium
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation.
CVE-2019-8944 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 N/A
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
CVE-2019-15698 1 Octopus 1 Octopus Server 2024-11-21 N/A
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10.
CVE-2019-14525 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 N/A
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.
CVE-2019-11632 1 Octopus 2 Octopus Deploy, Octopus Server 2024-11-21 N/A
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)
CVE-2018-18850 1 Octopus 1 Octopus Server 2024-11-21 N/A
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).
CVE-2018-12089 1 Octopus 1 Octopus Server 2024-11-21 N/A
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0.
CVE-2018-11320 1 Octopus 1 Octopus Server 2024-11-21 N/A
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.