Server
by Octopus
Source repositories
CVEs (64)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-31816 | Hig | 0.49 | 7.5 | 0.01 | Jul 8, 2021 | When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. | ||
| CVE-2018-12089 | Hig | 0.49 | 7.5 | 0.01 | Jun 11, 2018 | In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set… | ||
| CVE-2024-6972 | Med | 0.42 | 6.5 | 0.00 | Jul 25, 2024 | In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. | ||
| CVE-2022-2828 | Med | 0.42 | 6.5 | 0.01 | Oct 13, 2022 | In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability | ||
| CVE-2022-2528 | Med | 0.42 | 6.5 | 0.00 | Sep 9, 2022 | In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. | ||
| CVE-2017-15610 | Med | 0.42 | 6.5 | 0.01 | Oct 19, 2017 | An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by… | ||
| CVE-2022-3614 | Med | 0.40 | 6.1 | 0.00 | Jan 3, 2023 | In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | ||
| CVE-2022-29890 | Med | 0.40 | 6.1 | 0.00 | Jul 15, 2022 | In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | ||
| CVE-2022-23184 | Med | 0.40 | 6.1 | 0.01 | Feb 7, 2022 | In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | ||
| CVE-2026-4881 | Med | 0.39 | — | 0.00 | Jun 4, 2026 | In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error. | ||
| CVE-2017-11348 | Med | 0.37 | 5.7 | 0.01 | Jul 17, 2017 | In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | ||
| CVE-2022-2416 | Med | 0.36 | 5.5 | 0.00 | Aug 2, 2023 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment. | ||
| CVE-2022-2346 | Med | 0.36 | 5.5 | 0.00 | Aug 2, 2023 | In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints. | ||
| CVE-2025-0526 | Med | 0.35 | 5.4 | 0.00 | Feb 11, 2025 | In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows. | ||
| CVE-2025-0513 | Med | 0.35 | 5.4 | 0.00 | Feb 11, 2025 | In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message. | ||
| CVE-2022-4898 | Med | 0.35 | 5.4 | 0.00 | Jan 31, 2023 | In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different… | ||
| CVE-2025-0589 | Med | 0.34 | 5.3 | 0.00 | Feb 11, 2025 | In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when… | ||
| CVE-2022-4870 | Med | 0.34 | 5.3 | 0.00 | May 18, 2023 | In affected versions of Octopus Deploy it is possible to discover network details via error message | ||
| CVE-2023-2247 | Med | 0.34 | 5.3 | 0.00 | May 2, 2023 | In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function | ||
| CVE-2022-2507 | Med | 0.34 | 5.3 | 0.00 | Apr 19, 2023 | In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage |
- risk 0.49cvss 7.5epss 0.01
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
- risk 0.49cvss 7.5epss 0.01
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set…
- risk 0.42cvss 6.5epss 0.00
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
- risk 0.42cvss 6.5epss 0.01
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
- risk 0.42cvss 6.5epss 0.00
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
- risk 0.42cvss 6.5epss 0.01
An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by…
- risk 0.40cvss 6.1epss 0.00
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
- risk 0.40cvss 6.1epss 0.00
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
- risk 0.40cvss 6.1epss 0.01
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
- risk 0.39cvss —epss 0.00
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
- risk 0.37cvss 5.7epss 0.01
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
- risk 0.36cvss 5.5epss 0.00
In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
- risk 0.36cvss 5.5epss 0.00
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
- risk 0.35cvss 5.4epss 0.00
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
- risk 0.35cvss 5.4epss 0.00
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
- risk 0.35cvss 5.4epss 0.00
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different…
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when…
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy it is possible to discover network details via error message
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
- risk 0.34cvss 5.3epss 0.00
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
Page 2 of 4