Security Vulnerability in Octopus Server Allows Unauthorized Access to User Data
CVE-2024-4226

3.5LOW

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 30 April 2024

🔔 Create Octopus Deploy Vulnerability Alert

What is CVE-2024-4226?

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.

Affected Version(s)

Octopus Server Windows 2022.2.5205 < 2022.2.7934

Octopus Server Windows 2022.3.348 < 2022.3.9163

References

https://advisories.octopus.com/post/2024/SA2024-03/

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2024
Vulnerability Reserved
Apr 26, 2024