60 matches found
CVE-2022-2828
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
CVE-2019-15698
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. This is fixed in 2019.7.10.
CVE-2023-4509
It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
CVE-2024-9194
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before 2024.2.9482, from 2024.3...
CVE-2025-0589
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly woul...
CVE-2025-0526
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
CVE-2022-23184
In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
CVE-2022-1670
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
CVE-2022-2074
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVE-2022-2049
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVE-2024-4456
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
CVE-2025-0513
In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
CVE-2022-4009
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
CVE-2022-1901
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
CVE-2022-29890
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
CVE-2025-0525
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
CVE-2022-1881
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
CVE-2022-2778
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
CVE-2022-3460
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
CVE-2025-0588
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly u...
CVE-2024-4226
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
CVE-2022-2075
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
CVE-2022-30532
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
CVE-2025-0539
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
CVE-2022-2508
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
CVE-2022-2259
In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
CVE-2022-2720
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.
CVE-2022-2721
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
CVE-2017-11348
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
CVE-2022-2783
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
CVE-2024-4811
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.
CVE-2019-8944
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
CVE-2022-2780
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.
CVE-2019-14525
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.
CVE-2020-16197
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain c...
CVE-2024-6972
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
CVE-2022-2528
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
CVE-2022-3614
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
CVE-2022-2782
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
CVE-2022-2883
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVE-2018-11320
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
CVE-2021-26556
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
CVE-2022-2507
In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
CVE-2022-2572
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
CVE-2024-7998
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
CVE-2021-31820
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
CVE-2022-2258
In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
CVE-2022-2346
In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
CVE-2022-2760
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
CVE-2024-1656
Affected versions of Octopus Server had a weak content security policy.