Vulnerabilities > Octopus
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-06 | CVE-2022-2781 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octopus Server In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. | 5.3 |
| 2022-10-06 | CVE-2022-2783 | Cross-Site Request Forgery (CSRF) vulnerability in Octopus Server In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token | 5.3 |
| 2022-09-30 | CVE-2022-2778 | Unspecified vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. | 9.8 |
| 2022-09-28 | CVE-2022-2760 | Information Exposure Through an Error Message vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. | 4.3 |
| 2022-08-19 | CVE-2022-1901 | Improper Privilege Management vulnerability in Octopus Server In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. | 5.3 |
| 2022-06-13 | CVE-2022-2013 | Unspecified vulnerability in Octopus Deploy In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space. network octopus | 4.3 |
| 2022-05-19 | CVE-2022-1670 | Unspecified vulnerability in Octopus Server When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. | 5.0 |
| 2022-05-04 | CVE-2022-1502 | Unspecified vulnerability in Octopus Server Permissions were not properly verified in the API on projects using version control in Git. | 4.3 |
| 2022-02-07 | CVE-2022-23184 | Open Redirect vulnerability in Octopus Deploy In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects. | 5.8 |
| 2022-01-19 | CVE-2021-31821 | Cleartext Storage of Sensitive Information vulnerability in Octopus Tentacle When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. | 2.1 |