Octopusdeploy
by Octopus
Source repositories
CVEs (59)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16810 | Med | 0.35 | 5.4 | 0.01 | Nov 14, 2017 | Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter. | ||
| CVE-2017-16801 | Med | 0.35 | 5.4 | 0.01 | Nov 13, 2017 | Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter. | ||
| CVE-2025-0589 | Med | 0.34 | 5.3 | 0.00 | Feb 11, 2025 | In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when… | ||
| CVE-2022-4870 | Med | 0.34 | 5.3 | 0.00 | May 18, 2023 | In affected versions of Octopus Deploy it is possible to discover network details via error message | ||
| CVE-2023-2247 | Med | 0.34 | 5.3 | 0.00 | May 2, 2023 | In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function | ||
| CVE-2022-2507 | Med | 0.34 | 5.3 | 0.00 | Apr 19, 2023 | In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage | ||
| CVE-2022-1901 | Med | 0.34 | 5.3 | 0.00 | Aug 19, 2022 | In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. | ||
| CVE-2022-30532 | Med | 0.34 | 5.3 | 0.00 | Jul 19, 2022 | In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy. | ||
| CVE-2019-19375 | Med | 0.34 | 5.3 | 0.00 | Nov 28, 2019 | In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.) | ||
| CVE-2019-14525 | Med | 0.32 | 4.9 | 0.02 | Aug 5, 2019 | In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call. | ||
| CVE-2023-4509 | Med | 0.28 | 4.3 | 0.00 | Apr 18, 2024 | It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt. | ||
| CVE-2022-2259 | Med | 0.28 | 4.3 | 0.00 | Mar 13, 2023 | In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items | ||
| CVE-2022-2258 | Med | 0.28 | 4.3 | 0.01 | Mar 13, 2023 | In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items | ||
| CVE-2022-2760 | Med | 0.28 | 4.3 | 0.00 | Sep 28, 2022 | In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. | ||
| CVE-2020-16197 | Med | 0.28 | 4.3 | 0.01 | Aug 25, 2020 | An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is… | ||
| CVE-2020-12286 | Med | 0.28 | 4.3 | 0.01 | Apr 28, 2020 | In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. For example, a scoped user who is scoped to only one tenant can view server tasks scoped to any other tenant. | ||
| CVE-2019-19084 | Med | 0.28 | 4.3 | 0.01 | Nov 18, 2019 | In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted package, triggering an exception that exposes underlying operating system details. | ||
| CVE-2019-15698 | Med | 0.28 | 4.3 | 0.01 | Aug 27, 2019 | In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10. | ||
| CVE-2026-0704 | 0.00 | — | 0.00 | Feb 25, 2026 | In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows. |
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter.
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when…
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy it is possible to discover network details via error message
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
- risk 0.34cvss 5.3epss 0.00
In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
- risk 0.32cvss 4.9epss 0.02
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.
- risk 0.28cvss 4.3epss 0.00
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
- risk 0.28cvss 4.3epss 0.00
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
- risk 0.28cvss 4.3epss 0.01
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
- risk 0.28cvss 4.3epss 0.00
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
- risk 0.28cvss 4.3epss 0.01
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is…
- risk 0.28cvss 4.3epss 0.01
In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. For example, a scoped user who is scoped to only one tenant can view server tasks scoped to any other tenant.
- risk 0.28cvss 4.3epss 0.01
In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted package, triggering an exception that exposes underlying operating system details.
- risk 0.28cvss 4.3epss 0.01
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10.
- CVE-2026-0704Feb 25, 2026risk 0.00cvss —epss 0.00
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
Page 3 of 3