Octopus Deploy Security Vulnerabilities and Issues — Octopus Deploy CVE List

Lucene search

OctopusOctopus Deploy

11 matches found

CVE•added 2022/02/07 3:15 a.m.•66 views

CVE-2022-23184

In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.

6.1CVSS6.2AI score0.00185EPSS

CVE•added 2017/10/19 8:29 a.m.•43 views

CVE-2017-15610

An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by Octopus, including the pri...

6.5CVSS6.4AI score0.00139EPSS

CVE•added 2017/07/17 1:18 p.m.•42 views

CVE-2017-11348

In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.

6.3CVSS5.4AI score0.01014EPSS

CVE•added 2019/02/20 3:29 a.m.•41 views

CVE-2019-8944

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.

6.5CVSS6.1AI score0.00385EPSS

CVE•added 2017/10/19 8:29 a.m.•39 views

CVE-2017-15611

In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with escalated privileges.

6.5CVSS6.3AI score0.00141EPSS

CVE•added 2020/10/26 6:15 p.m.•35 views

CVE-2020-26161

In Octopus Deploy through 2020.4.2, an attacker could redirect users to an external site via a modified HTTP Host header.

6.1CVSS6.1AI score0.0023EPSS

CVE•added 2019/07/25 4:15 p.m.•34 views

CVE-2019-14268

In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3. The fix was back-porte...

6.5CVSS6.3AI score0.00621EPSS

CVE•added 2018/06/26 11:29 a.m.•31 views

CVE-2018-12884

In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu.

6.5CVSS6.2AI score0.00146EPSS

CVE•added 2019/11/28 5:15 p.m.•30 views

CVE-2019-19376

In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14.)

6.5CVSS6.3AI score0.00231EPSS

CVE•added 2020/06/19 4:15 p.m.•30 views

CVE-2020-14470

In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.

6.5CVSS6.4AI score0.00543EPSS

CVE•added 2018/03/27 3:29 a.m.•28 views

CVE-2018-9039

In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their permissions should allow. In other words, they can see machines beyond their team's scoped environments.

6.5CVSS6.3AI score0.00259EPSS