CPE Details
Octopus Server 2018.9.16
2018.9.16
2022-07-27
14h39 +00:00
14h39 +00:00
2022-07-27
14h40 +00:00
14h40 +00:00
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
CPE Name: cpe:2.3:a:octopus:octopus_server:2018.9.16:*:*:*:*:*:*:*
Informations
Vendor
octopusProduct
octopus_serverVersion
2018.9.16Related CVE
| CVE ID | Publié | Description | Score | Gravité |
|---|---|---|---|---|
| In affected versions of Octopus Deploy it is possible to discover network details via error message | 5.3 |
Moyen |
||
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | 5.5 |
Moyen |
||
| In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage | 5.3 |
Moyen |
||
| In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation | 8.8 |
Haute |
||
| In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | 7.5 |
Haute |
||
| In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | 6.1 |
Moyen |
||
| In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. | 7.5 |
Haute |
||
| In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | 9.8 |
Critique |
||
| In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. | 5.3 |
Moyen |
||
| In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | 9.1 |
Critique |
||
| In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. | 5.3 |
Moyen |
||
| In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | 5.3 |
Moyen |
||
| In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | 5.3 |
Moyen |
||
| In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. | 9.8 |
Critique |
||
| In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. | 6.5 |
Moyen |
||
| In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. | 7.5 |
Haute |
||
| In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. | 7.5 |
Haute |
||
| In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. | 7.5 |
Haute |
||
| In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy. | 5.3 |
Moyen |
||
| When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users. | 7.5 |
Haute |
||
| In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. | 7.5 |
Haute |
2025©
tesweb SA
