Vulnerabilities > Octopus

DATE CVE VULNERABILITY TITLE RISK
2021-10-07 CVE-2021-26556 Untrusted Search Path vulnerability in Octopus Deploy
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
4.4
2021-10-07 CVE-2021-26557 Untrusted Search Path vulnerability in Octopus Tentacle 3.15.4/5.0.0
When Octopus Tentacle is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
4.4
2021-09-22 CVE-2021-31819 Deserialization of Untrusted Data vulnerability in Octopus Halibut
In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification.
network
low complexity
octopus CWE-502
critical
10.0
2021-08-18 CVE-2021-31820 Cleartext Storage of Sensitive Information vulnerability in Octopus Server
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
network
low complexity
octopus CWE-312
5.0
2021-07-08 CVE-2021-31816 Cleartext Storage of Sensitive Information vulnerability in Octopus Server
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
network
low complexity
octopus CWE-312
5.0
2021-07-08 CVE-2021-31817 Cleartext Storage of Sensitive Information vulnerability in Octopus Server 2021.1.6959
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
network
low complexity
octopus CWE-312
5.0
2021-06-17 CVE-2021-31818 SQL Injection vulnerability in Octopus Server 2021.1.6959
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly.
network
low complexity
octopus CWE-89
4.0
2021-05-14 CVE-2021-30183 Cleartext Storage of Sensitive Information vulnerability in Octopus Server
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
network
low complexity
octopus CWE-312
5.0
2021-01-22 CVE-2021-21270 Cleartext Transmission of Sensitive Information vulnerability in Octopus Octopusdsc
OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent.
local
low complexity
octopus CWE-319
2.1
2020-10-26 CVE-2020-26161 Open Redirect vulnerability in Octopus Deploy
In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.
network
octopus CWE-601
5.8