VYPR

Octopusdeploy

by Octopus

Source repositories

CVEs (59)

  • CVE-2018-12089HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.01

    In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set…

  • CVE-2018-10550HigApr 30, 2018
    risk 0.49cvss 7.5epss 0.01

    In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.

  • CVE-2017-15609HigOct 19, 2017
    risk 0.49cvss 7.5epss 0.01

    Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.

  • CVE-2022-2528MedSep 9, 2022
    risk 0.42cvss 6.5epss 0.00

    In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.

  • CVE-2020-14470MedJun 19, 2020
    risk 0.42cvss 6.5epss 0.01

    In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.

  • CVE-2019-19376MedNov 28, 2019
    risk 0.42cvss 6.5epss 0.01

    In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS…

  • CVE-2019-15507MedAug 23, 2019
    risk 0.42cvss 6.5epss 0.01

    In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is…

  • CVE-2019-14268MedJul 25, 2019
    risk 0.42cvss 6.5epss 0.01

    In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3.…

  • CVE-2019-8944MedFeb 20, 2019
    risk 0.42cvss 6.5epss 0.02

    An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.

  • CVE-2018-12884MedJun 26, 2018
    risk 0.42cvss 6.5epss 0.01

    In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu.

  • CVE-2018-9039MedMar 27, 2018
    risk 0.42cvss 6.5epss 0.01

    In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.

  • CVE-2017-15611MedOct 19, 2017
    risk 0.42cvss 6.5epss 0.01

    In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.

  • CVE-2017-15610MedOct 19, 2017
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by…

  • CVE-2020-26161MedOct 26, 2020
    risk 0.40cvss 6.1epss 0.01

    In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.

  • CVE-2017-11348MedJul 17, 2017
    risk 0.37cvss 5.7epss 0.01

    In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.

  • CVE-2022-2416MedAug 2, 2023
    risk 0.36cvss 5.5epss 0.00

    In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.

  • CVE-2022-2346MedAug 2, 2023
    risk 0.36cvss 5.5epss 0.00

    In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.

  • CVE-2022-4008MedMay 10, 2023
    risk 0.36cvss 5.5epss 0.00

    In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

  • CVE-2025-0526MedFeb 11, 2025
    risk 0.35cvss 5.4epss 0.00

    In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

  • CVE-2018-10581MedMay 1, 2018
    risk 0.35cvss 5.4epss 0.01

    In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also…