CVE-2022-1670

Summary

When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server0.9 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2021.3.12533affected
Octopus DeployOctopus Server2022.1.0 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.1.53affected

Weaknesses

  • User invitation limit in Octopus Server can be exceeded

ADP Enrichment

CVE Program Container

Additional References

References