CVE-2022-2572
published 2022-11-01CVE-2022-2572: In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.83%
53.0th percentile
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| octopus | octopus_server | >= 2022.2.6729 < 2022.2.8277 | 2022.2.8277 |
| octopus | octopus_server | >= 2022.3.348 < 2022.3.10586 | 2022.3.10586 |
| octopus | octopus_server | >= 2022.4.791 < 2022.4.2898 | 2022.4.2898 |
| octopus | octopus_server | >= 3.5 < 2022.1.3264 | 2022.1.3264 |
| octopus_deploy | octopus_server | >= 2022.2.6729 < unspecified | unspecified |
| octopus_deploy | octopus_server | >= 2022.3.348 < unspecified | unspecified |
| octopus_deploy | octopus_server | >= 2022.4.791 < unspecified | unspecified |
| octopus_deploy | octopus_server | >= 3.5 < unspecified | unspecified |
| octopus_deploy | octopus_server | >= unspecified < 2022.1.3264 | 2022.1.3264 |
| octopus_deploy | octopus_server | >= unspecified < 2022.2.8277 | 2022.2.8277 |
| octopus_deploy | octopus_server | >= unspecified < 2022.3.10586 | 2022.3.10586 |
| octopus_deploy | octopus_server | >= unspecified < 2022.4.2898 | 2022.4.2898 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cisa7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g7j7-888j-qv8x: In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disa
ghsa_unreviewed·2022-11-01
CVE-2022-2572 [CRITICAL] CWE-287 GHSA-g7j7-888j-qv8x: In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disa
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
CISA
Microsoft PowerPoint Buffer Overflow Vulnerability
cisa·2022-06-08·CVSS 7.8
CVE-2010-2572 [HIGH] CWE-119 Microsoft PowerPoint Buffer Overflow Vulnerability
Vulnerability: Microsoft PowerPoint Buffer Overflow Vulnerability
Affected: Microsoft PowerPoint
Microsoft PowerPoint contains a buffer overflow vulnerability that alllows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-2572
Remediation Due Date: 2022-06-22
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-11-01
Published