Octopus Octopus_deploy

31 CVEs affecting Octopus Octopus_deploy. Latest disclosed: 2023-05-02. Critical: 0, High: 12.

Top CVEs affecting Octopus Octopus_deploy
CVESeverityScorePublishedSummary
CVE-2020-10678High8.82020-03-19In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server, an authenticated user can leverage a bug…
CVE-2018-5706High8.82018-01-16An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permission…
CVE-2018-4862High8.82018-01-03In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as…
CVE-2017-17665High8.82017-12-13In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass bec…
CVE-2019-11632High8.12019-05-01In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permissi…
CVE-2021-26556High7.82021-10-07When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loadin…
CVE-2022-2013High7.52022-06-13In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have ac…
CVE-2020-27155High7.52020-10-22An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trus…
CVE-2020-25825High7.52020-10-12In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs.
CVE-2020-24566High7.52020-09-09In Octopus Deploy 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1, if an authenticated user creates a deployment or runbook process using Azure steps and…
CVE-2018-10550High7.52018-04-30In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to.
CVE-2017-15609High7.52017-10-19Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop T…
CVE-2020-14470Medium6.52020-06-19In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password.
CVE-2019-19376Medium6.52019-11-28In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and c…
CVE-2019-14268Medium6.52019-07-25In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a…
CVE-2019-8944Medium6.52019-02-20An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users t…
CVE-2018-12884Medium6.52018-06-26In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu.
CVE-2018-9039Medium6.52018-03-27In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their…
CVE-2017-15611Medium6.52017-10-19In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with e…
CVE-2017-15610Medium6.52017-10-19An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access i…