Octopusdeploy
by Octopus
Source repositories
CVEs (59)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-12089 | Hig | 0.49 | 7.5 | 0.01 | Jun 11, 2018 | In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set… | ||
| CVE-2018-10550 | Hig | 0.49 | 7.5 | 0.01 | Apr 30, 2018 | In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to. | ||
| CVE-2017-15609 | Hig | 0.49 | 7.5 | 0.01 | Oct 19, 2017 | Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets. | ||
| CVE-2022-2528 | Med | 0.42 | 6.5 | 0.00 | Sep 9, 2022 | In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. | ||
| CVE-2020-14470 | Med | 0.42 | 6.5 | 0.01 | Jun 19, 2020 | In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password. | ||
| CVE-2019-19376 | Med | 0.42 | 6.5 | 0.01 | Nov 28, 2019 | In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS… | ||
| CVE-2019-15507 | Med | 0.42 | 6.5 | 0.01 | Aug 23, 2019 | In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is… | ||
| CVE-2019-14268 | Med | 0.42 | 6.5 | 0.01 | Jul 25, 2019 | In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3.… | ||
| CVE-2019-8944 | Med | 0.42 | 6.5 | 0.02 | Feb 20, 2019 | An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. | ||
| CVE-2018-12884 | Med | 0.42 | 6.5 | 0.01 | Jun 26, 2018 | In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu. | ||
| CVE-2018-9039 | Med | 0.42 | 6.5 | 0.01 | Mar 27, 2018 | In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments. | ||
| CVE-2017-15611 | Med | 0.42 | 6.5 | 0.01 | Oct 19, 2017 | In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges. | ||
| CVE-2017-15610 | Med | 0.42 | 6.5 | 0.01 | Oct 19, 2017 | An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by… | ||
| CVE-2020-26161 | Med | 0.40 | 6.1 | 0.01 | Oct 26, 2020 | In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header. | ||
| CVE-2017-11348 | Med | 0.37 | 5.7 | 0.01 | Jul 17, 2017 | In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | ||
| CVE-2022-2416 | Med | 0.36 | 5.5 | 0.00 | Aug 2, 2023 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | ||
| CVE-2022-2346 | Med | 0.36 | 5.5 | 0.00 | Aug 2, 2023 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | ||
| CVE-2022-4008 | Med | 0.36 | 5.5 | 0.00 | May 10, 2023 | In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | ||
| CVE-2025-0526 | Med | 0.35 | 5.4 | 0.00 | Feb 11, 2025 | In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows. | ||
| CVE-2018-10581 | Med | 0.35 | 5.4 | 0.01 | May 1, 2018 | In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also… |
- risk 0.49cvss 7.5epss 0.01
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set…
- risk 0.49cvss 7.5epss 0.01
In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.
- risk 0.49cvss 7.5epss 0.01
Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.
- risk 0.42cvss 6.5epss 0.00
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS…
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is…
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3.…
- risk 0.42cvss 6.5epss 0.02
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu.
- risk 0.42cvss 6.5epss 0.01
In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.
- risk 0.42cvss 6.5epss 0.01
In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by…
- risk 0.40cvss 6.1epss 0.01
In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.
- risk 0.37cvss 5.7epss 0.01
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
- risk 0.36cvss 5.5epss 0.00
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
- risk 0.36cvss 5.5epss 0.00
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
- risk 0.36cvss 5.5epss 0.00
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
- risk 0.35cvss 5.4epss 0.00
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
- risk 0.35cvss 5.4epss 0.01
In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also…
Page 2 of 3