CVE-2022-2760

2022-09-2800:00:00

Octopus

www.cve.org

octopus deploy

insecure disclosure

space id

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.

CNA Affected

[
  {
    "vendor": "Octopus Deploy",
    "product": "Octopus Server",
    "versions": [
      {
        "version": "2019.5.7",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.1.3180",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "2022.2.6729",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.2.7965",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "2022.3.348",
        "status": "affected",
        "lessThan": "unspecified",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "2022.3.10586",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

advisories.octopus.com/post/2022/sa2022-14/