CVE-2022-2778

EUVD-2022-35019
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
octopusoctopus_server
3.0 ≤
𝑥
< 2022.2.8277
octopusoctopus_server
2022.3.348 ≤
𝑥
< 2022.3.10405
octopusoctopus_server
2022.4.791 ≤
𝑥
< 2022.4.1371
𝑥
= Vulnerable software versions
References
https://advisories.octopus.com/post/2022/sa2022-15/
https://advisories.octopus.com/post/2022/sa2022-15/