cbcvebase.
CVE-2022-2528
published 2022-09-09

CVE-2022-2528: In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.

PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.43%
34.4th percentile
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.

Affected

11 ranges
VendorProductVersion rangeFixed in
octopusoctopus_server2018.1.0 – 2021.3.13021
octopusoctopus_server>= 2022.1.0 < 2022.1.31062022.1.3106
octopusoctopus_server>= 2022.2.6729 < 2022.2.77182022.2.7718
octopusoctopus_server>= 2022.3.348 < 2022.3.77822022.3.7782
octopusoctopus_server3.0.0 – 4.1.10
octopus_deployoctopus_server>= 2022.2.6729 < unspecifiedunspecified
octopus_deployoctopus_server>= 2022.3.348 < unspecifiedunspecified
octopus_deployoctopus_server>= 3.0 < unspecifiedunspecified
octopus_deployoctopus_server>= unspecified < 2022.1.31062022.1.3106
octopus_deployoctopus_server>= unspecified < 2022.2.77182022.2.7718
octopus_deployoctopus_server>= unspecified < 2022.3.77822022.3.7782
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.