CVE-2024-4226

Summary

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2022.2.5205 < 2022.2.7934affected
Octopus DeployOctopus Server2022.3.348 < 2022.3.9163affected

Weaknesses

  • Users with no permissions can see all users

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References