cbcvebase.
CVE-2024-4226
published 2024-04-30

CVE-2024-4226: It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This…

PriorityP414low3.5CVSS 3.1
AVNACLPRLUIRSUCLINAN
EPSS
0.30%
22.0th percentile
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.

Affected

5 ranges
VendorProductVersion rangeFixed in
devise-two-factordevise-two-factor>= 4.0.0 < 6.0.06.0.0
octopusoctopus_server>= 2022.2.6729 < 2022.2.79342022.2.7934
octopusoctopus_server>= 2022.3.348 < 2022.3.91632022.3.9163
octopus_deployoctopus_server>= 2022.2.5205 < 2022.2.79342022.2.7934
octopus_deployoctopus_server>= 2022.3.348 < 2022.3.91632022.3.9163
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.