API Key Validity Issue in Octopus Server by Octopus Deploy
CVE-2022-2572

9.8CRITICAL

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 1 November 2022

🔔 Create Octopus Deploy Vulnerability Alert

What is CVE-2022-2572?

In certain versions of Octopus Server, a vulnerability was identified that affects the access management system when integrated with external authentication providers. This issue allows for the API keys of users who have been disabled or deleted to remain active, potentially leading to unauthorized access. This poses a serious risk as it enables former users to execute actions even after their access privileges have been revoked. Mitigating this vulnerability is crucial to ensure secure user management within the system.

Affected Version(s)

Octopus Server 3.5

Octopus Server < 2022.1.3264

Octopus Server 2022.2.6729

References

https://advisories.octopus.com/post/2022/sa2022-23/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2022
Vulnerability Reserved
Jul 29, 2022