Vulnerabilities > Octopus > Octopus Server > 3.3.24

DATE CVE VULNERABILITY TITLE RISK
2023-05-18 CVE-2022-4870 Information Exposure Through an Error Message vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to discover network details via error message
network
low complexity
octopus CWE-209
5.3
2023-05-10 CVE-2022-4008 Resource Exhaustion vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
local
low complexity
octopus CWE-400
5.5
2023-03-16 CVE-2022-4009 Command Injection vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
network
low complexity
octopus CWE-77
8.8
2023-02-22 CVE-2022-2883 Unrestricted Upload of File with Dangerous Type vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
network
low complexity
octopus CWE-434
7.5
2022-10-27 CVE-2022-2508 Information Exposure Through an Error Message vulnerability in Octopus Server
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
network
low complexity
octopus CWE-209
5.3
2022-10-27 CVE-2022-2782 Insufficient Session Expiration vulnerability in Octopus Server
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
network
low complexity
octopus CWE-613
critical
9.1
2022-10-06 CVE-2022-2781 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octopus Server
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
network
low complexity
octopus CWE-327
5.3
2022-09-30 CVE-2022-2778 Unspecified vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
network
low complexity
octopus
critical
9.8
2017-07-17 CVE-2017-11348 Path Traversal vulnerability in Octopus Deploy and Octopus Server
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files.
network
octopus CWE-22
6.3