Vulnerabilities > CVE-2022-1881 - Authorization Bypass Through User-Controlled Key vulnerability in Octopus Server

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

octopus

CWE-639

NVD

Published: 2022-07-15

Updated: 2022-07-27

Summary

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.

Vulnerable Configurations

Part	Description	Count
Application	Octopus Octopus Octopus Server 2021.1.7608 Octopus Octopus Server 2021.1.7853 Octopus Octopus Server 2022.1.2121 Octopus Octopus Server 2022.1.2128 Octopus Octopus Server 2022.1.2133 Octopus Octopus Server 2022.1.2232 Octopus Octopus Server 2022.1.2264 Octopus Octopus Server 2022.1.2274 Octopus Octopus Server 2022.1.2278 Octopus Octopus Server 2022.1.2300 Octopus Octopus Server 2022.1.2332 Octopus Octopus Server 2022.1.2342 Octopus Octopus Server 2022.1.2364 Octopus Octopus Server 2022.1.2386 Octopus Octopus Server 2022.1.2412 Octopus Octopus Server 2022.1.2438 Octopus Octopus Server 2022.1.2474 Octopus Octopus Server 2022.1.2488 Octopus Octopus Server 2022.1.2495 Octopus Octopus Server 2022.1.2556 Octopus Octopus Server 2022.1.2584 Octopus Octopus Server 2022.1.2637 Octopus Octopus Server 2022.1.2661 Octopus Octopus Server 2022.1.2669 Octopus Octopus Server 2022.1.2679 Octopus Octopus Server 2022.1.2733 Octopus Octopus Server 2022.1.2735 Octopus Octopus Server 2022.1.2744 Octopus Octopus Server 2022.1.2786 Octopus Octopus Server 2022.1.2803 Octopus Octopus Server 2022.1.2849 Octopus Octopus Server 2022.1.2875 Octopus Octopus Server 2022.3.348 Octopus Octopus Server 2022.3.1455 Octopus Octopus Server 2022.3.1591 Octopus Octopus Server 2022.3.2140 Octopus Octopus Server 2022.3.2387 Octopus Octopus Server 2022.2.6729 Octopus Octopus Server 2022.2.6764 Octopus Octopus Server 2022.2.6832 Octopus Octopus Server 2022.2.6849 Octopus Octopus Server 2022.2.6872 Octopus Octopus Server 2022.2.6895	43

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://advisories.octopus.com/post/2022/sa2022-06/