CVE-2024-4226
published 2024-04-30CVE-2024-4226: It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This…
PriorityP414low3.5CVSS 3.1
AVNACLPRLUIRSUCLINAN
EPSS
0.30%
22.0th percentile
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devise-two-factor | devise-two-factor | >= 4.0.0 < 6.0.0 | 6.0.0 |
| octopus | octopus_server | >= 2022.2.6729 < 2022.2.7934 | 2022.2.7934 |
| octopus | octopus_server | >= 2022.3.348 < 2022.3.9163 | 2022.3.9163 |
| octopus_deploy | octopus_server | >= 2022.2.5205 < 2022.2.7934 | 2022.2.7934 |
| octopus_deploy | octopus_server | >= 2022.3.348 < 2022.3.9163 | 2022.3.9163 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
ghsa·2024-09-17
CVE-2024-8796 [MEDIUM] CWE-331 Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
### Summary
Under the default configuration, Devise-Two-Factor versions 1.0.0 or >= 4.0.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226). Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
### Remediation
Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer.
If upgrading is not possible, you can ov
GHSA
GHSA-9f97-gpg7-4cqv: It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions
ghsa_unreviewed·2024-04-30
CVE-2024-4226 [LOW] CWE-276 GHSA-9f97-gpg7-4cqv: It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-30
Published