Octopus Octopus_deploy
31 CVEs affecting Octopus Octopus_deploy. Latest disclosed: 2023-05-02. Critical: 0, High: 12.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-10678 | High | 8.8 | 2020-03-19 | In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server, an authenticated user can leverage a bug… |
CVE-2018-5706 | High | 8.8 | 2018-01-16 | An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves Administer System permission… |
CVE-2018-4862 | High | 8.8 | 2018-01-03 | In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as… |
CVE-2017-17665 | High | 8.8 | 2017-12-13 | In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass bec… |
CVE-2019-11632 | High | 8.1 | 2019-05-01 | In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permissi… |
CVE-2021-26556 | High | 7.8 | 2021-10-07 | When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loadin… |
CVE-2022-2013 | High | 7.5 | 2022-06-13 | In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have ac… |
CVE-2020-27155 | High | 7.5 | 2020-10-22 | An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trus… |
CVE-2020-25825 | High | 7.5 | 2020-10-12 | In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensitive information to the user in the task logs. |
CVE-2020-24566 | High | 7.5 | 2020-09-09 | In Octopus Deploy 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1, if an authenticated user creates a deployment or runbook process using Azure steps and… |
CVE-2018-10550 | High | 7.5 | 2018-04-30 | In Octopus Deploy before 2018.4.7, target and tenant tag variable scopes were not checked against the list of tenants the user has access to. |
CVE-2017-15609 | High | 7.5 | 2017-10-19 | Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop T… |
CVE-2020-14470 | Medium | 6.5 | 2020-06-19 | In Octopus Deploy 2018.8.0 through 2019.x before 2019.12.2, an authenticated user with could trigger a deployment that leaks the Helm Chart repository password. |
CVE-2019-19376 | Medium | 6.5 | 2019-11-28 | In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and c… |
CVE-2019-14268 | Medium | 6.5 | 2019-07-25 | In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a… |
CVE-2019-8944 | Medium | 6.5 | 2019-02-20 | An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users t… |
CVE-2018-12884 | Medium | 6.5 | 2018-06-26 | In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user with incorrect permissions may be able to create Accounts under the Infrastructure menu. |
CVE-2018-9039 | Medium | 6.5 | 2018-03-27 | In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, with variable edit permissions, can scope some variables to targets greater than their… |
CVE-2017-15611 | Medium | 6.5 | 2017-10-19 | In Octopus before 3.17.7, an authenticated user who was explicitly granted the permission to invite new users (aka UserInvite) can invite users to teams with e… |
CVE-2017-15610 | Medium | 6.5 | 2017-10-19 | An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access i… |