Filtered by vendor Octopus
Subscriptions
Filtered by product Octopus Server
Subscriptions
Total
47 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-2975 | 1 Octopus | 1 Octopus Server | 2024-09-19 | 8.8 High |
A race condition was identified through which privilege escalation was possible in certain configurations. | ||||
CVE-2023-1904 | 1 Octopus | 1 Octopus Server | 2024-09-18 | 4.2 Medium |
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. | ||||
CVE-2023-4509 | 1 Octopus | 1 Octopus Server | 2024-09-18 | 4.3 Medium |
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt. | ||||
CVE-2018-11320 | 1 Octopus | 1 Octopus Server | 2024-09-16 | N/A |
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. | ||||
CVE-2019-8944 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-09-16 | N/A |
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files. | ||||
CVE-2018-12089 | 1 Octopus | 1 Octopus Server | 2024-09-16 | N/A |
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0. | ||||
CVE-2017-11348 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-08-05 | N/A |
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value. | ||||
CVE-2018-18850 | 1 Octopus | 1 Octopus Server | 2024-08-05 | N/A |
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM). | ||||
CVE-2019-15698 | 1 Octopus | 1 Octopus Server | 2024-08-05 | N/A |
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10. | ||||
CVE-2019-14525 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-08-05 | N/A |
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call. | ||||
CVE-2019-11632 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-08-04 | N/A |
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.) | ||||
CVE-2020-16197 | 1 Octopus | 2 Octopus Server, Server | 2024-08-04 | 4.3 Medium |
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation. | ||||
CVE-2021-31820 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-08-03 | 7.5 High |
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. | ||||
CVE-2021-26556 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-08-03 | 7.8 High |
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. | ||||
CVE-2022-30532 | 3 Linux, Microsoft, Octopus | 3 Linux Kernel, Windows, Octopus Server | 2024-08-03 | 5.3 Medium |
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy. | ||||
CVE-2022-29890 | 1 Octopus | 1 Octopus Server | 2024-08-03 | 6.1 Medium |
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. | ||||
CVE-2022-23184 | 1 Octopus | 2 Octopus Deploy, Octopus Server | 2024-08-03 | 6.1 Medium |
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | ||||
CVE-2022-4870 | 1 Octopus | 1 Octopus Server | 2024-08-03 | 5.3 Medium |
In affected versions of Octopus Deploy it is possible to discover network details via error message | ||||
CVE-2022-4898 | 1 Octopus | 1 Octopus Server | 2024-08-03 | 5.4 Medium |
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being susceptible to XSS | ||||
CVE-2022-4008 | 1 Octopus | 1 Octopus Server | 2024-08-03 | 5.5 Medium |
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service |