Lucene search

[email protected]CVE-2022-29890

HistoryJul 15, 2022 - 8:15 a.m.

CVE-2022-29890

2022-07-1508:15:07

CWE-79

[email protected]

web.nvd.nist.gov

octopus server

xss

cross-site scripting

security vulnerability

cve-2022-29890

nvd

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

31.5%

JSON

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.

Affected configurations

NVD

Node

octopusoctopus_serverRange2019.7.0–2021.3.13021

octopusoctopus_serverRange2022.1.2121–2022.1.2849

octopusoctopus_serverRange2022.3.348–2022.3.2387

octopusoctopus_serverMatch2022.2.6729

CPENameOperatorVersion
octopus:octopus_serveroctopus octopus serverlt2021.3.13021
octopus:octopus_serveroctopus octopus serverlt2022.1.2849
octopus:octopus_serveroctopus octopus serverlt2022.3.2387
octopus:octopus_serveroctopus octopus servereq2022.2.6729

CPE	Name	Operator	Version
octopus:octopus_server	octopus octopus server	lt	2021.3.13021
octopus:octopus_server	octopus octopus server	lt	2022.1.2849
octopus:octopus_server	octopus octopus server	lt	2022.3.2387
octopus:octopus_server	octopus octopus server	eq	2022.2.6729

CNA Affected

[
  {
    "product": "Octopus Server",
    "vendor": "Octopus Deploy",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2019.7.0",
        "versionType": "custom"
      },
      {
        "lessThan": "2021.3.13021",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2022.1.2121",
        "versionType": "custom"
      },
      {
        "lessThan": "2022.1.2894",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2022.2.6729",
        "versionType": "custom"
      },
      {
        "lessThan": "2022.2.6971",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "2022.3.348",
        "versionType": "custom"
      },
      {
        "lessThan": "2022.3.2387",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

advisories.octopus.com/post/2022/sa2022-07/

Social References

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

31.5%

JSON

Related for CVE-2022-29890

prion1 cvelist1 nvd1