CVE-2022-1670

When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
OctopusCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
octopusoctopus_server
0.9 ≤
𝑥
< 2021.3.12533
octopusoctopus_server
2022.1.0 ≤
𝑥
< 2022.1.53
𝑥
= Vulnerable software versions
References
https://advisories.octopus.com/post/2022/sa2022-04/
https://advisories.octopus.com/post/2022/sa2022-04/