Octopus: >> Octopus Deploy >> 2019.10.10 Security Vulnerabilities
In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
CVSS Score
5.3
EPSS Score
0.002
Published
2023-05-02
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-02-07
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-10-07
In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-10-26
An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trusted one.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-22
In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-10-12
In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-06-19
In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the TaskView permission is not scoped to any dimension. For example, a scoped user who is scoped to only one tenant can view server tasks scoped to any other tenant.
CVSS Score
4.3
EPSS Score
0.004
Published
2020-04-28
In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server, an authenticated user can leverage a bug to escalate privileges.
CVSS Score
8.8
EPSS Score
0.008
Published
2020-03-19