In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
9.8CVSS
9.3AI Score
0.002EPSS
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
9.8CVSS
9.5AI Score
0.002EPSS
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
9.8CVSS
9.3AI Score
0.002EPSS
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
9.1CVSS
9.1AI Score
0.002EPSS