CVE-2022-2780

Summary

In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2021.2.994 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.1.3180affected
Octopus DeployOctopus Server2022.2.6729 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.2.7965affected
Octopus DeployOctopus Server2022.3.348 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.3.10586affected

Weaknesses

  • Authentication Bypass by Capture-Replay

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References