cbcvebase.

Octopus Server vulnerabilities

64 known vulnerabilities affecting octopus/octopus_server.

Total CVEs
64
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH18MEDIUM36LOW4

Vulnerabilities

Page 2 of 4
CVE-2022-2075P3HIGHCVSS 7.5≥ 0.9, ≤ 0.9.620.4≥ 1.0, ≤ 1.6.3.1723+10 more2022-08-19
CVE-2022-2075 [HIGH] CVE-2022-2075: In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
nvd
CVE-2022-2049P3HIGHCVSS 7.5≥ 0.9, ≤ 0.9.620.4≥ 1.0, ≤ 1.6.3.1723+10 more2022-08-19
CVE-2022-2049 [HIGH] CVE-2022-2049: In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the p In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
nvd
CVE-2021-26556P3HIGHCVSS 7.8≥ 2020.5.0, < 2020.5.2562021-10-07
CVE-2021-26556 [HIGH] CWE-426 CVE-2021-26556: When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly a When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
nvd
CVE-2022-2074P3HIGHCVSS 7.5≥ 0.9, ≤ 0.9.620.4≥ 1.0, ≤ 1.6.3.1723+10 more2022-08-19
CVE-2022-2074 [HIGH] CVE-2022-2074: In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
nvd
CVE-2024-6972P3MEDIUMCVSS 6.5≥ 2024.1.437, < 2024.1.12759≥ 2024.2.101, < 2024.2.91932024-07-25
CVE-2024-6972 [MEDIUM] CWE-319 CVE-2024-6972: In affected versions of Octopus Server under certain circumstances it is possible for sensitive vari In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
nvd
CVE-2026-4881P3MEDIUMCVSS 6.5≥ 2023.1.4189, < 2025.4.10545≥ 2026.1.675, < 2026.1.113132026-06-04
CVE-2026-4881 [MEDIUM] CWE-862 CVE-2026-4881: In affected versions of Octopus Server, permissions were not checked correctly resulting in any auth In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
nvd
CVE-2022-2828P4MEDIUMCVSS 6.5≥ 2022.1.2121, ≤ 2022.1.3135≥ 2022.2.0, ≤ 2022.2.7897+1 more2022-10-13
CVE-2022-2828 [MEDIUM] CWE-639 CVE-2022-2828: In affected versions of Octopus Server it is possible to reveal information about teams via the API In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
nvd
CVE-2019-8944P4MEDIUMCVSS 6.5≥ 2018.11.0, < 2019.1.82019-02-20
CVE-2019-8944 [MEDIUM] CWE-532 CVE-2019-8944: An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (an An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.
nvd
CVE-2022-2528P4MEDIUMCVSS 6.5≥ 3.0.0, ≤ 4.1.10≥ 2018.1.0, ≤ 2021.3.13021+3 more2022-09-09
CVE-2022-2528 [MEDIUM] CWE-276 CVE-2022-2528: In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insu In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
nvd
CVE-2022-3614P4MEDIUMCVSS 6.1≥ 3.5, < 2022.3.10750≥ 2022.4, < 2022.4.80632023-01-03
CVE-2022-3614 [MEDIUM] CWE-601 CVE-2022-3614: In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Serv In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
nvd
CVE-2025-0526P4MEDIUMCVSS 5.4≥ 2022.4.791, < 2024.3.13097≥ 2024.4.401, < 2024.4.70912025-02-11
CVE-2025-0526 [MEDIUM] CWE-862 CVE-2025-0526: In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on th In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
nvd
CVE-2025-0589P4MEDIUMCVSS 5.3≥ 2020.3.3, < 2024.3.13071≥ 2024.4.401, < 2024.4.70652025-02-11
CVE-2025-0589 [MEDIUM] CWE-648 CVE-2025-0589: In affected versions of Octopus Deploy where customers are using Active Directory for authentication In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Emai
nvd
CVE-2022-2507P4MEDIUMCVSS 5.3fixed in 2023.1.9794≥ 2022.4.0, < 2022.4.8332+1 more2023-04-19
CVE-2022-2507 [MEDIUM] CWE-79 CVE-2022-2507: In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
nvd
CVE-2022-23184P4MEDIUMCVSS 6.1≥ 2021.2.0, < 2021.2.8011≥ 2021.3.0, < 2021.3.110572022-02-07
CVE-2022-23184 [MEDIUM] CWE-601 CVE-2022-23184: In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localh In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
nvd
CVE-2017-11348P4MEDIUMCVSS 5.7v3.0.0v3.0.1+181 more2017-07-17
CVE-2017-11348 [MEDIUM] CWE-22 CVE-2017-11348: In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload pac In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
nvd
CVE-2022-2508P4MEDIUMCVSS 5.3fixed in 2022.1.3264≥ 2022.2.0, < 2022.2.8351+2 more2022-10-27
CVE-2022-2508 [MEDIUM] CWE-209 CVE-2022-2508: In affected versions of Octopus Server it is possible to reveal the existence of resources in a spac In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
nvd
CVE-2022-1881P4MEDIUMCVSS 5.3≥ 2021.1.6959, < 2021.3.13021≥ 2022.1.2121, < 2022.1.2894+2 more2022-07-15
CVE-2022-1881 [MEDIUM] CWE-639 CVE-2022-1881: In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists wher In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
nvd
CVE-2022-1901P4MEDIUMCVSS 5.3≥ 2019.1.0, ≤ 2019.7.3≥ 2020.1.0, ≤ 2020.6.5449+4 more2022-08-19
CVE-2022-1901 [MEDIUM] CWE-269 CVE-2022-1901: In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variabl In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
nvd
CVE-2019-14525P4MEDIUMCVSS 4.9≥ 2019.7.0, < 2019.7.62019-08-05
CVE-2019-14525 [MEDIUM] CVE-2019-14525: In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authen In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.
nvd
CVE-2022-30532P4MEDIUMCVSS 5.3≥ 0.9, < 2021.3.13021≥ 2022.1.0, < 2022.1.2849+1 more2022-07-19
CVE-2022-30532 [MEDIUM] CVE-2022-30532: In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus D In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
nvd
Octopus Server vulnerabilities | cvebase