CPE Details
Octopus Server 2022.2.8147
2022.2.8147
2022-10-07
09h20 +00:00
09h20 +00:00
2022-10-07
12h47 +00:00
12h47 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
CPE Name: cpe:2.3:a:octopus:octopus_server:2022.2.8147:*:*:*:*:*:*:*
Informations
Vendor
octopusProduct
octopus_serverVersion
2022.2.8147Related CVE
| CVE ID | Published | Description | Score | Severity |
|---|---|---|---|---|
| In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. | 7.5 |
High |
||
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | 5.5 |
Medium |
||
| In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | 5.5 |
Medium |
||
| In affected versions of Octopus Deploy it is possible to discover network details via error message | 5.3 |
Medium |
||
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | 5.5 |
Medium |
||
| In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage | 5.3 |
Medium |
||
| In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation | 8.8 |
High |
||
| In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items | 4.3 |
Medium |
||
| In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items | 4.3 |
Medium |
||
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | 7.5 |
High |
||
| In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS | 5.4 |
Medium |
||
| In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | 6.1 |
Medium |
||
| In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. | 7.5 |
High |
||
| In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | 9.8 |
Critical |
||
| In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. | 5.3 |
Medium |
||
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | 9.1 |
Critical |
||
| In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. | 9.8 |
Critical |
2025©
tesweb SA
