User Invitation Code Bypass in Octopus Server by Octopus Deploy
CVE-2022-1670

7.5HIGH

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 19 May 2022

🔔 Create Octopus Deploy Vulnerability Alert

What is CVE-2022-1670?

A vulnerability in Octopus Server allows users to bypass the validity restrictions on generated user invitation codes. This oversight enables the creation of additional user accounts, exceeding the initially permitted number, potentially compromising the integrity of user management. It is crucial for organizations using Octopus Server to apply the necessary patches to mitigate this risk and ensure the security of their systems.

Affected Version(s)

Octopus Server 0.9

Octopus Server < 2021.3.12533

Octopus Server 2022.1.0

References

https://advisories.octopus.com/post/2022/sa2022-04/

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2022
Vulnerability Reserved
May 11, 2022