cbcvebase.

Octopus Deploy Octopus Server vulnerabilities

60 known vulnerabilities affecting octopus_deploy/octopus_server.

Total CVEs
60
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH18MEDIUM34LOW4

Vulnerabilities

Page 2 of 3
CVE-2021-26556P3HIGHCVSS 7.8≥ 0.9, < unspecified≥ unspecified, < 2020.4.229+2 more2021-10-07
CVE-2021-26556 [HIGH] CWE-426 CVE-2021-26556: When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly a When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access.
nvd
CVE-2022-2074P3HIGHCVSS 7.5≥ 0.9, < unspecified≥ unspecified, < 2022.1.2894+4 more2022-08-19
CVE-2022-2074 [HIGH] CVE-2022-2074: In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
nvd
CVE-2024-6972P3MEDIUMCVSS 6.5≥ 2024.1, < 2024.1.12759≥ 2024.2, < 2024.2.91932024-07-25
CVE-2024-6972 [MEDIUM] CWE-319 CVE-2024-6972: In affected versions of Octopus Server under certain circumstances it is possible for sensitive vari In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text.
nvd
CVE-2026-4881P3MEDIUMCVSS 6.5≥ 2023.0.0, < 2025.4.10523≥ 2025.4.0, < 2025.4.10545+1 more2026-06-04
CVE-2026-4881 [MEDIUM] CWE-862 CVE-2026-4881: In affected versions of Octopus Server, permissions were not checked correctly resulting in any auth In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
nvd
CVE-2022-2828P4MEDIUMCVSS 6.5≥ 2022.1.2121, < unspecified≥ unspecified, < 2022.1.3135+4 more2022-10-13
CVE-2022-2828 [MEDIUM] CWE-639 CVE-2022-2828: In affected versions of Octopus Server it is possible to reveal information about teams via the API In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
nvd
CVE-2022-2528P4MEDIUMCVSS 6.5≥ 3.0, < unspecified≥ unspecified, < 2022.1.3106+4 more2022-09-09
CVE-2022-2528 [MEDIUM] CWE-276 CVE-2022-2528: In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insu In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
nvd
CVE-2022-3614P4MEDIUMCVSS 6.1≥ 3.5.1, < unspecified≥ unspecified, < 2022.2.8552+4 more2023-01-03
CVE-2022-3614 [MEDIUM] CWE-601 CVE-2022-3614: In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Serv In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
nvd
CVE-2025-0526P4MEDIUMCVSS 5.4≥ 2022.4.791, < 2024.3.13097≥ 2024.4.401, < 2024.4.70912025-02-11
CVE-2025-0526 [MEDIUM] CWE-862 CVE-2025-0526: In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on th In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
nvd
CVE-2025-0589P4MEDIUMCVSS 5.3≥ 2020.3.3, < 2024.3.13071≥ 2024.4.401, < 2024.4.70652025-02-11
CVE-2025-0589 [MEDIUM] CWE-648 CVE-2025-0589: In affected versions of Octopus Deploy where customers are using Active Directory for authentication In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Emai
nvd
CVE-2022-2507P4MEDIUMCVSS 5.3≥ 0.9, < unspecified≥ 2022.3.348, < unspecified+4 more2023-04-19
CVE-2022-2507 [MEDIUM] CWE-79 CVE-2022-2507: In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
nvd
CVE-2022-23184P4MEDIUMCVSS 6.1≥ unspecified, < 2021.2.8011≥ unspecified, < 2021.3.110572022-02-07
CVE-2022-23184 [MEDIUM] CWE-601 CVE-2022-23184: In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localh In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open redirects.
nvd
CVE-2022-2508P4MEDIUMCVSS 5.3≥ 0.9, < unspecified≥ unspecified, < 2022.1.3264+6 more2022-10-27
CVE-2022-2508 [MEDIUM] CWE-209 CVE-2022-2508: In affected versions of Octopus Server it is possible to reveal the existence of resources in a spac In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging.
nvd
CVE-2022-1881P4MEDIUMCVSS 5.3≥ 2021.1.1, < unspecified≥ unspecified, < 2021.3.13021+6 more2022-07-15
CVE-2022-1881 [MEDIUM] CWE-639 CVE-2022-1881: In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists wher In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.
nvd
CVE-2021-31818P4MEDIUMCVSS 4.3≥ 2018.9.17, < unspecified≥ unspecified, < 2020.6.5146+2 more2021-06-17
CVE-2021-31818 [MEDIUM] CWE-89 CVE-2021-31818: Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
nvd
CVE-2026-8296P4MEDIUMCVSS 5.6≥ 2023.0.0, < 2025.4.10678≥ 2026.1.0, < 2026.1.11451+1 more2026-06-19
CVE-2026-8296 [MEDIUM] CWE-79 CVE-2026-8296: In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-S In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts.
nvd
CVE-2022-1901P4MEDIUMCVSS 5.3≥ 2019.7.3, < unspecified≥ unspecified, < 2022.1.3009+4 more2022-08-19
CVE-2022-1901 [MEDIUM] CWE-269 CVE-2022-1901: In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variabl In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
nvd
CVE-2023-2247P4MEDIUMCVSS 5.3≥ 2018.3.0, < unspecified≥ unspecified, < 2022.3.10929+2 more2023-05-02
CVE-2023-2247 [MEDIUM] CVE-2023-2247: In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function
nvd
CVE-2022-30532P4MEDIUMCVSS 5.3≥ 0.9, < unspecified≥ unspecified, < 2021.3.13021+4 more2022-07-19
CVE-2022-30532 [MEDIUM] CVE-2022-30532: In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus D In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
nvd
CVE-2022-2720P4MEDIUMCVSS 5.3≥ 3.16.4, < unspecified≥ unspecified, < 2022.1.3134+4 more2022-10-12
CVE-2022-2720 [MEDIUM] CWE-359 CVE-2022-2720: In affected versions of Octopus Server it was identified that when a sensitive value is a substring In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work.
nvd
CVE-2022-2781P4MEDIUMCVSS 5.3≥ 3.2.10, < unspecified≥ unspecified, < 2022.1.3154+4 more2022-10-06
CVE-2022-2781 [MEDIUM] CWE-327 CVE-2022-2781: In affected versions of Octopus Server it was identified that the same encryption process was used f In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
nvd
Octopus Deploy Octopus Server vulnerabilities | cvebase