Octopus: >> Octopus Server >> 2022.3.2387 Security Vulnerabilities
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
CVSS Score
5.3
EPSS Score
0.002
Published
2022-10-06
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-09-30
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
CVSS Score
4.3
EPSS Score
0.003
Published
2022-09-28
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-09-09
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-08-19
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-08-19
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVSS Score
7.5
EPSS Score
0.005
Published
2022-08-19
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-08-19
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-07-15
Page 4