CVE-2022-2572

2022-11-0100:00:00

Octopus

www.cve.org

octopus server

external authentication

api keys

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

58.3%

JSON

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.

CNA Affected

[
  {
    "vendor": "Octopus Deploy",
    "product": "Octopus Server",
    "versions": [
      {
        "version": "3.5",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.1.3264",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "2022.2.6729",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.2.8277",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "2022.3.348",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.3.10586",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "2022.4.791",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.4.2898",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

advisories.octopus.com/post/2022/sa2022-23/