Vulnerabilities > Octopus > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-10-27 CVE-2022-2508 Information Exposure Through an Error Message vulnerability in Octopus Server
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
network
low complexity
octopus CWE-209
5.3
2022-10-13 CVE-2022-2828 Authorization Bypass Through User-Controlled Key vulnerability in Octopus Server
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
network
low complexity
octopus CWE-639
6.5
2022-10-12 CVE-2022-2720 Unspecified vulnerability in Octopus Server
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.
network
low complexity
octopus
5.3
2022-10-06 CVE-2022-2781 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octopus Server
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
network
low complexity
octopus CWE-327
5.3
2022-10-06 CVE-2022-2783 Cross-Site Request Forgery (CSRF) vulnerability in Octopus Server
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
network
low complexity
octopus CWE-352
5.3
2022-09-28 CVE-2022-2760 Information Exposure Through an Error Message vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
network
low complexity
octopus CWE-209
4.3
2022-09-09 CVE-2022-2528 Incorrect Default Permissions vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
network
low complexity
octopus CWE-276
6.5
2022-08-19 CVE-2022-1901 Improper Privilege Management vulnerability in Octopus Server
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
network
low complexity
octopus CWE-269
5.3
2022-07-19 CVE-2022-30532 Unspecified vulnerability in Octopus Server
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
network
low complexity
octopus
5.3
2022-07-15 CVE-2022-1881 Authorization Bypass Through User-Controlled Key vulnerability in Octopus Server
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access.
network
low complexity
octopus CWE-639
5.3