Octopus: >> Octopus Deploy >> 2018.11.3 Security Vulnerabilities
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
CVSS Score
5.3
EPSS Score
0.002
Published
2023-05-02
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-07
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-10-07
An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trusted one.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-22
In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-12
In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-06-19
In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. For example, a scoped user who is scoped to only one tenant can view server tasks scoped to any other tenant.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-04-28
In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server, an authenticated user can leverage a bug to escalate privileges.
CVSS Score
8.8
EPSS Score
0.008
Published
2020-03-19
In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted package, triggering an exception that exposes underlying operating system details.
CVSS Score
4.3
EPSS Score
0.006
Published
2019-11-18
In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3. The fix was back-ported to LTS 2019.6.5 as well as LTS 2019.3.7.
CVSS Score
6.5
EPSS Score
0.006
Published
2019-07-25
Page 1