Vulnerabilities > Octopus > Octopus Server > 2019.5.2
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-03 | CVE-2022-3460 | Improper Cross-boundary Removal of Sensitive Data vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview. | 7.5 |
| 2022-11-01 | CVE-2022-2572 | Improper Authentication vulnerability in Octopus Server In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | 9.8 |
| 2022-10-27 | CVE-2022-2508 | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. | 5.3 |
| 2022-10-27 | CVE-2022-2782 | Insufficient Session Expiration vulnerability in Octopus Server In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | 9.1 |
| 2022-10-12 | CVE-2022-2720 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. | 5.3 |
| 2022-10-06 | CVE-2022-2781 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octopus Server In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | 5.3 |
| 2022-10-06 | CVE-2022-2783 | Cross-Site Request Forgery (CSRF) vulnerability in Octopus Server In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | 5.3 |
| 2022-09-30 | CVE-2022-2778 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. | 9.8 |
| 2022-09-09 | CVE-2022-2528 | Incorrect Default Permissions vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. | 6.5 |
| 2022-08-19 | CVE-2022-2049 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. | 7.5 |