CVE-2019-11632

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom U...

CVE-2022-2416

In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.

CVE-2022-4898

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken ...

CVE-2018-12089

In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fi...

CVE-2022-2781

In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.

CVE-2022-4870

In affected versions of Octopus Deploy it is possible to discover network details via error message

CVE-2023-1904

In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.

CVE-2024-2975

A race condition was identified through which privilege escalation was possible in certain configurations.