Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Octopus_deploy
(Octopus)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 31 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-05-02 | CVE-2023-2247 | In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function | Octopus_deploy | 5.3 | ||
| 2021-10-07 | CVE-2021-26556 | When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | Octopus_deploy, Octopus_server | 7.8 | ||
| 2017-07-17 | CVE-2017-11348 | In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | Octopus_deploy, Octopus_server | 5.7 | ||
| 2019-02-20 | CVE-2019-8944 | An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. | Octopus_deploy, Octopus_server | 6.5 | ||
| 2019-05-01 | CVE-2019-11632 | In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.) | Octopus_deploy, Octopus_server | 8.1 | ||
| 2019-08-05 | CVE-2019-14525 | In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call. | Octopus_deploy, Octopus_server | 4.9 | ||
| 2022-02-07 | CVE-2022-23184 | In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | Octopus_deploy, Octopus_server | 6.1 | ||
| 2022-06-13 | CVE-2022-2013 | In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space. | Octopus_deploy | 7.5 | ||
| 2020-10-26 | CVE-2020-26161 | In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header. | Octopus_deploy | 6.1 | ||
| 2019-11-28 | CVE-2019-19376 | In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14.) | Octopus_deploy | 6.5 |