CVE-2022-1881

Summary

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2021.1.1 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2021.3.13021affected
Octopus DeployOctopus Server2022.1.2121 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.1.2894affected
Octopus DeployOctopus Server2022.2.6729 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.2.6971affected
Octopus DeployOctopus Server2022.3.348 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.3.2616affected

Weaknesses

  • Insecure Direct Object Reference (IDOR)

ADP Enrichment

CVE Program Container

Additional References

References