Guest User Interaction Vulnerability in Octopus Deploy by Octopus Deploy
CVE-2022-2346

5.5MEDIUM

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 2 August 2023

🔔 Create Octopus Deploy Vulnerability Alert

What is CVE-2022-2346?

In specific versions of Octopus Deploy, a security flaw exists that permits a low privileged guest user to interact with extension endpoints. This vulnerability potentially exposes sensitive information and functionalities that should be restricted, leading to unauthorized access or manipulation by unprivileged users. Organizations utilizing Octopus Deploy should ensure they are using updated versions to mitigate this risk.

Affected Version(s)

Octopus Server Windows 2019.4.0 < 2022.4.9997

Octopus Server Windows 2023.1.0 < 2023.1.10235

Octopus Server Windows 2023.2.0 < 2023.2.10545

References

https://advisories.octopus.com/post/2023/sa2023-10/

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2023
Vulnerability Reserved
Jul 8, 2022