CVE-2022-2778

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
OctopusCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
VendorProductVersion
octopusoctopus_server
3.0 ≤
𝑥
< 2022.2.8277
octopusoctopus_server
2022.3.348 ≤
𝑥
< 2022.3.10405
octopusoctopus_server
2022.4.791 ≤
𝑥
< 2022.4.1371
𝑥
= Vulnerable software versions
References
https://advisories.octopus.com/post/2022/sa2022-15/
https://advisories.octopus.com/post/2022/sa2022-15/