U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:a:octopus:octopus_server:2021.3.12846:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 29 matching records.
Displaying matches 21 through 29.
Vuln ID Summary CVSS Severity
CVE-2022-2760

In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.

Published: September 28, 2022; 8:15:09 AM -0400 		V4.0:(not available)
 V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-2528

In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.

Published: September 09, 2022; 4:15:07 AM -0400 		V4.0:(not available)
 V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-2075

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.

Published: August 19, 2022; 5:15:08 AM -0400 		V4.0:(not available)
 V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-2074

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.

Published: August 19, 2022; 5:15:08 AM -0400 		V4.0:(not available)
 V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-2049

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.

Published: August 19, 2022; 5:15:08 AM -0400 		V4.0:(not available)
 V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-1901

In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.

Published: August 19, 2022; 4:15:07 AM -0400 		V4.0:(not available)
 V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-30532

In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.

Published: July 19, 2022; 3:15:07 AM -0400 		V4.0:(not available)
 V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-29890

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.

Published: July 15, 2022; 4:15:07 AM -0400 		V4.0:(not available)
 V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-1881

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.

Published: July 15, 2022; 4:15:07 AM -0400 		V4.0:(not available)
 V3.1: 5.3 MEDIUM
V2.0:(not available)