Octopus: Security Vulnerabilities
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-06-17
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-05-14
OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002.
CVSS Score
6.2
EPSS Score
0.0
Published
2021-01-22
In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-10-26
An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trusted one.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-22
In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-12
In Octopus Deploy 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1, if an authenticated user creates a deployment or runbook process using Azure steps and sets the step's execution location to run on the server/worker, then (under certain circumstances) the account password is exposed in cleartext in the verbose task logs output.
CVSS Score
7.5
EPSS Score
0.015
Published
2020-09-09
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation.
CVSS Score
4.3
EPSS Score
0.001
Published
2020-08-25
In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-06-19
In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. For example, a scoped user who is scoped to only one tenant can view server tasks scoped to any other tenant.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-04-28