Vulnerabilities > Octopus > Octopus Server > 3.17.9
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-18 | CVE-2022-4870 | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to discover network details via error message | 5.3 |
| 2023-05-10 | CVE-2022-4008 | Resource Exhaustion vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | 5.5 |
| 2023-04-19 | CVE-2022-2507 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage | 5.3 |
| 2023-03-16 | CVE-2022-4009 | Command Injection vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation | 8.8 |
| 2023-02-22 | CVE-2022-2883 | Unrestricted Upload of File with Dangerous Type vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service | 7.5 |
| 2023-01-03 | CVE-2022-3614 | Open Redirect vulnerability in Octopus Server In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation. | 6.1 |
| 2022-11-01 | CVE-2022-2572 | Improper Authentication vulnerability in Octopus Server In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked. | 9.8 |
| 2022-10-27 | CVE-2022-2508 | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. | 5.3 |
| 2022-10-27 | CVE-2022-2782 | Insufficient Session Expiration vulnerability in Octopus Server In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. | 9.1 |
| 2022-10-12 | CVE-2022-2720 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. | 5.3 |