CVE-2022-2781 : In affected versions of Octopus Server it was identified that the same encryptio

In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.

Published 2022-10-06 18:15:58

Updated 2022-11-10 04:09:56

Source Octopus Deploy

View at NVD, CVE.org

Products affected by CVE-2022-2781

Octopus » Octopus Server
Versions from including (>=) 2022.2.6729 and before (<) 2022.2.7897
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
Matching versions
Octopus » Octopus Server
Versions from including (>=) 3.2.10 and before (<) 2022.1.3154
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
Matching versions
Octopus » Octopus Server
Versions from including (>=) 2022.3.348 and before (<) 2022.3.10586
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Assigned by: nvd@nist.gov (Primary)

https://advisories.octopus.com/post/2022/sa2022-16/

Security Advisory 2022-16 | Octopus Deploy Security Advisories
Vendor Advisory

Jump to