CVE-2024-4226

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
OctopusCNA
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
octopusoctopus_server
2022.2.6729 ≤
𝑥
< 2022.2.7934
octopusoctopus_server
2022.3.348 ≤
𝑥
< 2022.3.9163
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://advisories.octopus.com/post/2024/SA2024-03/
https://advisories.octopus.com/post/2024/SA2024-03/