Filtered by vendor Octopus Subscriptions
Total 83 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-8944 1 Octopus 2 Octopus Deploy, Octopus Server 2022-10-03 N/A
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
CVE-2022-2528 1 Octopus 1 Octopus Server 2022-09-15 6.5 Medium
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
CVE-2022-2075 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-20 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVE-2022-2074 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-20 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVE-2022-2049 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-20 7.5 High
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVE-2022-30532 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Server 2022-08-18 5.3 Medium
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
CVE-2022-29890 1 Octopus 1 Octopus Server 2022-08-02 6.1 Medium
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
CVE-2022-1881 1 Octopus 1 Octopus Server 2022-07-27 5.3 Medium
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
CVE-2022-1670 1 Octopus 1 Octopus Server 2022-07-27 7.5 High
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
CVE-2019-19085 1 Octopus 1 Server 2022-07-27 5.4 Medium
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML.
CVE-2019-15508 1 Octopus 2 Server, Tentacle 2022-07-27 N/A
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7.
CVE-2019-15507 1 Octopus 1 Server 2022-07-27 N/A
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8.
CVE-2020-16197 1 Octopus 2 Octopus Server, Server 2022-07-27 4.3 Medium
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation.
CVE-2019-15698 1 Octopus 1 Octopus Server 2022-07-27 N/A
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10.
CVE-2019-14525 1 Octopus 2 Octopus Deploy, Octopus Server 2022-07-27 N/A
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.
CVE-2022-23184 1 Octopus 2 Octopus Deploy, Octopus Server 2022-07-27 6.1 Medium
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
CVE-2019-11632 1 Octopus 2 Octopus Deploy, Octopus Server 2022-07-27 N/A
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)
CVE-2018-18850 1 Octopus 1 Octopus Server 2022-07-27 N/A
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).
CVE-2017-11348 1 Octopus 2 Octopus Deploy, Octopus Server 2022-07-27 N/A
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
CVE-2022-2013 3 Linux, Microsoft, Octopus 3 Linux Kernel, Windows, Octopus Deploy 2022-06-17 7.5 High
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.