Server
by Octopus
Source repositories
CVEs (64)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-2572 | Cri | 0.64 | 9.8 | 0.01 | Nov 1, 2022 | In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | ||
| CVE-2022-2778 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2022 | In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. | ||
| CVE-2022-2782 | Cri | 0.59 | 9.1 | 0.01 | Oct 27, 2022 | In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | ||
| CVE-2025-0539 | Hig | 0.57 | 8.8 | 0.00 | Apr 10, 2025 | In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host… | ||
| CVE-2024-2975 | Hig | 0.57 | 8.8 | 0.00 | Apr 9, 2024 | A race condition was identified through which privilege escalation was possible in certain configurations. | ||
| CVE-2022-4009 | Hig | 0.57 | 8.8 | 0.01 | Mar 16, 2023 | In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation | ||
| CVE-2017-17665 | Hig | 0.57 | 8.8 | 0.01 | Dec 13, 2017 | In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to which a machine is scoped may include environments in which the user lacks access. | ||
| CVE-2022-2780 | Hig | 0.53 | 8.1 | 0.01 | Oct 14, 2022 | In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack. | ||
| CVE-2021-26556 | Hig | 0.51 | 7.8 | 0.00 | Oct 7, 2021 | When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | ||
| CVE-2025-0525 | Hig | 0.49 | 7.5 | 0.00 | Feb 11, 2025 | In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server. | ||
| CVE-2022-2883 | Hig | 0.49 | 7.5 | 0.01 | Feb 22, 2023 | In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | ||
| CVE-2022-3460 | Hig | 0.49 | 7.5 | 0.01 | Jan 3, 2023 | In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. | ||
| CVE-2022-2721 | Hig | 0.49 | 7.5 | 0.01 | Nov 25, 2022 | In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. | ||
| CVE-2022-2075 | Hig | 0.49 | 7.5 | 0.01 | Aug 19, 2022 | In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. | ||
| CVE-2022-2074 | Hig | 0.49 | 7.5 | 0.01 | Aug 19, 2022 | In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. | ||
| CVE-2022-2049 | Hig | 0.49 | 7.5 | 0.01 | Aug 19, 2022 | In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. | ||
| CVE-2022-2013 | Hig | 0.49 | 7.5 | 0.01 | Jun 13, 2022 | In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space. | ||
| CVE-2022-1670 | Hig | 0.49 | 7.5 | 0.01 | May 19, 2022 | When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users. | ||
| CVE-2021-31820 | Hig | 0.49 | 7.5 | 0.01 | Aug 18, 2021 | In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. | ||
| CVE-2021-31817 | Hig | 0.49 | 7.5 | 0.01 | Jul 8, 2021 | When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. |
- risk 0.64cvss 9.8epss 0.01
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
- risk 0.64cvss 9.8epss 0.01
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
- risk 0.59cvss 9.1epss 0.01
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
- risk 0.57cvss 8.8epss 0.00
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host…
- risk 0.57cvss 8.8epss 0.00
A race condition was identified through which privilege escalation was possible in certain configurations.
- risk 0.57cvss 8.8epss 0.01
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
- risk 0.57cvss 8.8epss 0.01
In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to which a machine is scoped may include environments in which the user lacks access.
- risk 0.53cvss 8.1epss 0.01
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.
- risk 0.51cvss 7.8epss 0.00
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
- risk 0.49cvss 7.5epss 0.00
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
- risk 0.49cvss 7.5epss 0.01
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
- risk 0.49cvss 7.5epss 0.01
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
- risk 0.49cvss 7.5epss 0.01
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
- risk 0.49cvss 7.5epss 0.01
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
- risk 0.49cvss 7.5epss 0.01
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
- risk 0.49cvss 7.5epss 0.01
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
- risk 0.49cvss 7.5epss 0.01
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.
- risk 0.49cvss 7.5epss 0.01
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
- risk 0.49cvss 7.5epss 0.01
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
- risk 0.49cvss 7.5epss 0.01
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
Page 1 of 4