Vulnerabilities > Octopus > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-04-30 CVE-2018-10550 Improper Privilege Management vulnerability in Octopus Deploy
In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.
network
low complexity
octopus CWE-269
5.0
2018-03-27 CVE-2018-9039 Missing Authorization vulnerability in Octopus Deploy
In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow.
network
low complexity
octopus CWE-862
4.0
2018-01-16 CVE-2018-5706 Improper Privilege Management vulnerability in Octopus Deploy
An issue was discovered in Octopus Deploy before 4.1.9.
network
low complexity
octopus CWE-269
6.5
2018-01-03 CVE-2018-4862 Improper Privilege Management vulnerability in Octopus Deploy
In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as to bypass the scoping restrictions, resulting in a potential escalation of privileges.
network
low complexity
octopus CWE-269
6.5
2017-12-13 CVE-2017-17665 Missing Authorization vulnerability in Octopus Deploy
In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments.
network
low complexity
octopus CWE-862
6.5
2017-10-19 CVE-2017-15611 Incorrect Permission Assignment for Critical Resource vulnerability in Octopus Deploy
In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.
network
low complexity
octopus CWE-732
4.0
2017-10-19 CVE-2017-15610 Information Exposure vulnerability in Octopus Deploy
An issue was discovered in Octopus before 3.17.7.
network
low complexity
octopus CWE-200
4.0
2017-10-19 CVE-2017-15609 Missing Encryption of Sensitive Data vulnerability in Octopus Deploy
Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.
network
low complexity
octopus CWE-311
5.0
2017-07-17 CVE-2017-11348 Path Traversal vulnerability in Octopus Deploy and Octopus Server
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files.
network
octopus CWE-22
6.3