Lucene search

OctopusCVELIST:CVE-2024-4226

HistoryApr 30, 2024 - 1:53 a.m.

CVE-2024-4226

2024-04-3001:53:34

Octopus

www.cve.org

octopus server

vulnerability

user permissions

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.4

Confidence

High

EPSS

Percentile

9.0%

JSON

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows",
      "Linux"
    ],
    "product": "Octopus Server",
    "vendor": "Octopus Deploy",
    "versions": [
      {
        "lessThan": "2022.2.7934",
        "status": "affected",
        "version": "2022.2.5205",
        "versionType": "custom"
      },
      {
        "lessThan": "2022.3.9163",
        "status": "affected",
        "version": "2022.3.348",
        "versionType": "custom"
      }
    ]
  }
]

References

advisories.octopus.com/post/2024/SA2024-03/

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.4

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-4226