VYPR

Server

by Octopus

Source repositories

CVEs (64)

  • CVE-2021-31816HigJul 8, 2021
    risk 0.49cvss 7.5epss 0.01

    When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.

  • CVE-2018-12089HigJun 11, 2018
    risk 0.49cvss 7.5epss 0.01

    In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set…

  • CVE-2024-6972MedJul 25, 2024
    risk 0.42cvss 6.5epss 0.00

    In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.

  • CVE-2022-2828MedOct 13, 2022
    risk 0.42cvss 6.5epss 0.01

    In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability

  • CVE-2022-2528MedSep 9, 2022
    risk 0.42cvss 6.5epss 0.00

    In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.

  • CVE-2017-15610MedOct 19, 2017
    risk 0.42cvss 6.5epss 0.01

    An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by…

  • CVE-2022-3614MedJan 3, 2023
    risk 0.40cvss 6.1epss 0.00

    In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

  • CVE-2022-29890MedJul 15, 2022
    risk 0.40cvss 6.1epss 0.00

    In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.

  • CVE-2022-23184MedFeb 7, 2022
    risk 0.40cvss 6.1epss 0.01

    In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.

  • CVE-2026-4881MedJun 4, 2026
    risk 0.39cvss epss 0.00

    In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

  • CVE-2017-11348MedJul 17, 2017
    risk 0.37cvss 5.7epss 0.01

    In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.

  • CVE-2022-2416MedAug 2, 2023
    risk 0.36cvss 5.5epss 0.00

    In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.

  • CVE-2022-2346MedAug 2, 2023
    risk 0.36cvss 5.5epss 0.00

    In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.

  • CVE-2025-0526MedFeb 11, 2025
    risk 0.35cvss 5.4epss 0.00

    In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

  • CVE-2025-0513MedFeb 11, 2025
    risk 0.35cvss 5.4epss 0.00

    In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.

  • CVE-2022-4898MedJan 31, 2023
    risk 0.35cvss 5.4epss 0.00

    In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different…

  • CVE-2025-0589MedFeb 11, 2025
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when…

  • CVE-2022-4870MedMay 18, 2023
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy it is possible to discover network details via error message

  • CVE-2023-2247MedMay 2, 2023
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function

  • CVE-2022-2507MedApr 19, 2023
    risk 0.34cvss 5.3epss 0.00

    In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage