Known Vulnerabilities
CVE-2022-3460
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
CVE-2022-2828
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability
CVE-2022-30532
In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
CVE-2022-29890
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
CVE-2022-1881
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.