Vulnerabilities > CVE-2022-2828 - Authorization Bypass Through User-Controlled Key vulnerability in Octopus Server

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

octopus

CWE-639

NVD

Published: 2022-10-13

Updated: 2022-10-14

Summary

In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability

Vulnerable Configurations

Part	Description	Count
Application	Octopus Octopus Octopus Server 2022.3.348 Octopus Octopus Server 2022.3.1455 Octopus Octopus Server 2022.2.6729 Octopus Octopus Server 2022.2.6764 Octopus Octopus Server 2022.2.6832 Octopus Octopus Server 2022.2.6849 Octopus Octopus Server 2022.2.6872 Octopus Octopus Server 2022.2.6895 Octopus Octopus Server 2022.2.6971 Octopus Octopus Server 2022.2.7718 Octopus Octopus Server 2022.2.7897 Octopus Octopus Server 2022.1.2121 Octopus Octopus Server 2022.1.2128 Octopus Octopus Server 2022.1.2133 Octopus Octopus Server 2022.1.2232 Octopus Octopus Server 2022.1.2264 Octopus Octopus Server 2022.1.2274 Octopus Octopus Server 2022.1.2278 Octopus Octopus Server 2022.1.2300 Octopus Octopus Server 2022.1.2332 Octopus Octopus Server 2022.1.2342 Octopus Octopus Server 2022.1.2364 Octopus Octopus Server 2022.1.2386 Octopus Octopus Server 2022.1.2412 Octopus Octopus Server 2022.1.2438 Octopus Octopus Server 2022.1.2474 Octopus Octopus Server 2022.1.2488 Octopus Octopus Server 2022.1.2495 Octopus Octopus Server 2022.1.2556 Octopus Octopus Server 2022.1.2584 Octopus Octopus Server 2022.1.2637 Octopus Octopus Server 2022.1.2661 Octopus Octopus Server 2022.1.2669 Octopus Octopus Server 2022.1.2679 Octopus Octopus Server 2022.1.2733 Octopus Octopus Server 2022.1.2735 Octopus Octopus Server 2022.1.2744 Octopus Octopus Server 2022.1.2786 Octopus Octopus Server 2022.1.2803 Octopus Octopus Server 2022.1.2849 Octopus Octopus Server 2022.1.2875 Octopus Octopus Server 2022.1.2894 Octopus Octopus Server 2022.1.3106 Octopus Octopus Server 2022.1.3135	44

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://advisories.octopus.com/post/2022/sa2022-19/