CVE-2022-2074

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
OctopusCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
octopusoctopus_server
0.9 ≤
𝑥
≤ 0.9.620.4
octopusoctopus_server
1.0 ≤
𝑥
≤ 1.6.3.1723
octopusoctopus_server
2.0 ≤
𝑥
≤ 2.6.5
octopusoctopus_server
3.0.0 ≤
𝑥
≤ 3.17.14
octopusoctopus_server
4.0.4 ≤
𝑥
≤ 4.1.10
octopusoctopus_server
2018.1.0 ≤
𝑥
≤ 2018.12.1
octopusoctopus_server
2019.1.0 ≤
𝑥
≤ 2019.13.7
octopusoctopus_server
2020.1.0 ≤
𝑥
≤ 2020.6.5449
octopusoctopus_server
2021.1.6959 ≤
𝑥
≤ 2021.3.13021
octopusoctopus_server
2022.1.0 ≤
𝑥
< 2022.1.2894
octopusoctopus_server
2022.2.6729 ≤
𝑥
< 2022.2.6872
octopusoctopus_server
2022.3.348 ≤
𝑥
< 2022.3.4953
𝑥
= Vulnerable software versions
References
https://advisories.octopus.com/post/2022/sa2022-11/
https://advisories.octopus.com/post/2022/sa2022-11/