CVE-2022-2258

2023-03-1300:00:00

Octopus

www.cve.org

octopus deploy

unauthorized access

tagsets

cve-2022-2258

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.2%

JSON

In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items

CNA Affected

[
  {
    "vendor": "Octopus Deploy",
    "product": "Octopus Server",
    "versions": [
      {
        "version": "2019.1.0",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.3.11098",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "2022.4.791",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.4.8463",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "2023.1.4189",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2023.1.9672",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

advisories.octopus.com/post/2023/sa2023-03/