Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Octopus_server
(Octopus)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 45 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-11-25 | CVE-2022-2721 | In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. | Octopus_server | 7.5 | ||
| 2023-01-03 | CVE-2022-3460 | In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. | Octopus_server | 7.5 | ||
| 2023-01-03 | CVE-2022-3614 | In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | Octopus_server | 6.1 | ||
| 2023-01-31 | CVE-2022-4898 | In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS | Octopus_server | 5.4 | ||
| 2023-08-02 | CVE-2022-2346 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | Octopus_server | 4.3 | ||
| 2023-08-02 | CVE-2022-2416 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | Octopus_server | 4.3 | ||
| 2023-12-14 | CVE-2023-1904 | In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. | Octopus_server | 7.5 | ||
| 2017-07-17 | CVE-2017-11348 | In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | Octopus_deploy, Octopus_server | 5.7 | ||
| 2018-05-21 | CVE-2018-11320 | In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. | Octopus_server | 9.8 | ||
| 2018-06-11 | CVE-2018-12089 | In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0. | Octopus_server | 7.5 |