Vulnerabilities > Octopus
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-05-21 | CVE-2018-11320 | Information Exposure Through Log Files vulnerability in Octopus Server In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. | 9.8 |
| 2018-05-01 | CVE-2018-10581 | Information Exposure vulnerability in Octopus Deploy In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. | 5.4 |
| 2018-04-30 | CVE-2018-10550 | Improper Privilege Management vulnerability in Octopus Deploy In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to. | 7.5 |
| 2018-03-27 | CVE-2018-9039 | Missing Authorization vulnerability in Octopus Deploy In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. | 6.5 |
| 2018-01-16 | CVE-2018-5706 | Improper Privilege Management vulnerability in Octopus Deploy An issue was discovered in Octopus Deploy before 4.1.9. | 8.8 |
| 2018-01-03 | CVE-2018-4862 | Improper Privilege Management vulnerability in Octopus Deploy In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as to bypass the scoping restrictions, resulting in a potential escalation of privileges. | 8.8 |
| 2017-12-13 | CVE-2017-17665 | Missing Authorization vulnerability in Octopus Deploy In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. | 8.8 |
| 2017-11-14 | CVE-2017-16810 | Cross-site Scripting vulnerability in Octopus Deploy Cross-site scripting (XSS) vulnerability in the All Variables tab in Octopus Deploy 3.4.0-3.13.6 (fixed in 3.13.7) allows remote attackers to inject arbitrary web script or HTML via the Variable Set Name parameter. | 5.4 |
| 2017-11-13 | CVE-2017-16801 | Cross-site Scripting vulnerability in Octopus Deploy Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17.13 (fixed in 3.17.14) allows remote authenticated users to inject arbitrary web script or HTML via the Step Template Name parameter. | 5.4 |
| 2017-10-19 | CVE-2017-15611 | Incorrect Permission Assignment for Critical Resource vulnerability in Octopus Deploy In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges. | 6.5 |