CVE-2022-3614

Summary

In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server3.5.1 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.2.8552affected
Octopus DeployOctopus Server2022.3.348 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.3.10750affected
Octopus DeployOctopus Server2022.4.791 < unspecifiedaffected
Octopus DeployOctopus Serverunspecified < 2022.4.8063affected

Weaknesses

  • Authentication Bypass Using an Alternate Path or Channel

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References