CVE-2022-2778

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
octopusoctopus_server
3.0 ≤
𝑥
< 2022.2.8277
octopusoctopus_server
2022.3.348 ≤
𝑥
< 2022.3.10405
octopusoctopus_server
2022.4.791 ≤
𝑥
< 2022.4.1371
𝑥
= Vulnerable software versions
References
https://advisories.octopus.com/post/2022/sa2022-15/
https://advisories.octopus.com/post/2022/sa2022-15/