CVE-2022-1881

In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.

Published: Jul 15, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-1881
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
octopus / octopus_server	2021.1.6959	2021.3.13021
octopus / octopus_server	2022.1.2121	2022.1.2894
octopus / octopus_server	2022.3.348	2022.3.2616
octopus / octopus_server	2022.2.6729	2022.2.6971

https://advisories.octopus.com/post/2022/sa2022-06/

Vulnerability Database

289,697

CVE-2022-1881