Vulnerabilities > Octopus

DATE CVE VULNERABILITY TITLE RISK
2022-06-13 CVE-2022-2013 Unspecified vulnerability in Octopus Deploy
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.
network
octopus
4.3
2022-05-19 CVE-2022-1670 Unspecified vulnerability in Octopus Deploy
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users.
network
low complexity
octopus
5.0
2022-05-04 CVE-2022-1502 Incorrect Authorization vulnerability in Octopus Server
Permissions were not properly verified in the API on projects using version control in Git.
network
octopus CWE-863
3.5
2022-02-07 CVE-2022-23184 Open Redirect vulnerability in Octopus Deploy
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
network
octopus CWE-601
5.8
2022-01-19 CVE-2021-31821 Cleartext Storage of Sensitive Information vulnerability in Octopus Tentacle
When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext.
local
low complexity
octopus CWE-312
2.1
2021-11-24 CVE-2021-31822 Incorrect Default Permissions vulnerability in Octopus Tentacle
When Octopus Tentacle is installed on a Linux operating system, the systemd service file permissions are misconfigured.
local
low complexity
octopus CWE-276
4.6
2021-10-07 CVE-2021-26556 Untrusted Search Path vulnerability in Octopus Deploy
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
4.4
2021-10-07 CVE-2021-26557 Untrusted Search Path vulnerability in Octopus Tentacle 3.15.4/5.0.0
When Octopus Tentacle is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
4.4
2021-09-22 CVE-2021-31819 Deserialization of Untrusted Data vulnerability in Octopus Halibut
In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification.
network
low complexity
octopus CWE-502
critical
10.0
2021-08-18 CVE-2021-31820 Cleartext Storage of Sensitive Information vulnerability in Octopus Server
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
network
low complexity
octopus CWE-312
5.0