CVE-2022-2572

Summary

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server3.5 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.1.3264affected
Octopus DeployOctopus Server2022.2.6729 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.2.8277affected
Octopus DeployOctopus Server2022.3.348 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.3.10586affected
Octopus DeployOctopus Server2022.4.791 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.4.2898affected

Weaknesses

  • Broken Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References