Octopus: >> Octopus Server >> 3.15.3 Security Vulnerabilities
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-11-01
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-10-27
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
CVSS Score
9.1
EPSS Score
0.003
Published
2022-10-27
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-10-06
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
CVSS Score
5.3
EPSS Score
0.001
Published
2022-10-06
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
CVSS Score
9.8
EPSS Score
0.006
Published
2022-09-30
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-09-09
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-08-19
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-08-19
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-08-19