CVE-2022-3460

Summary

In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2018.3.1 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2021.3.13150affected
Octopus DeployOctopus Server2022.1.2121 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.1.3281affected
Octopus DeployOctopus Server2022.2.7897 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.2.8552affected
Octopus DeployOctopus Server2022.3.348 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.3.10750affected
Octopus DeployOctopus Server2022.4.791 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.4.8221affected

Weaknesses

  • Exposure of Sensitive Information Through Environmental Variables

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References