CVE-2022-3614

EUVD-2022-42975
In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication checks and be redirected to the configured redirect url without any validation.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
Affected Products (NVD)
VendorProductVersion
octopusoctopus_server
3.5 ≤
𝑥
< 2022.3.10750
octopusoctopus_server
2022.4 ≤
𝑥
< 2022.4.8063
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://advisories.octopus.com/post/2022/sa2022-26/
https://advisories.octopus.com/post/2022/sa2022-26/