Octopus: Security Vulnerabilities
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
CVSS Score
7.5
EPSS Score
0.001
Published
2021-08-18
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-07-08
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-07-08
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-06-17
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
CVSS Score
7.5
EPSS Score
0.002
Published
2021-05-14
OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002.
CVSS Score
6.2
EPSS Score
0.0
Published
2021-01-22
In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-10-26
An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trusted one.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-22
In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-12
In Octopus Deploy 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1, if an authenticated user creates a deployment or runbook process using Azure steps and sets the step's execution location to run on the server/worker, then (under certain circumstances) the account password is exposed in cleartext in the verbose task logs output.
CVSS Score
7.5
EPSS Score
0.015
Published
2020-09-09