Octopus Server Security Vulnerabilities - CVSS Score 9 - 10

CVE-2018-11320

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.

CVE-2022-2572

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.

CVE-2022-2778

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.

CVE-2022-2782

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.