CVE-2022-2528 It is possible to upload a package with insufficient permissions after re-indexing packages.

This can result in deployment failure.

This issue is fixed in version 5.1.

Octopus Deploy 5.0.7 - 5.0.8 Octopus Deploy 5.0.7 - 5.0.8 is vulnerable to a privilege escalation exploit.

In some cases, an attacker could use this vulnerability to escalate privileges to SYSTEM.

This issue is fixed in version 5.0.9.

Octopus Deploy 5.0.7 - 5.0.8 is vulnerable to a privilege escalation exploit. In some cases, an attacker could use this vulnerability to escalate privileges to SYSTEM. This issue is fixed in version 5.0.9. An attacker could deploy an unauthorized update to an application. This issue is fixed in version 5.1.

Octopus Deploy 5.0.7 - 5.0.8 An attacker could deploy an unauthorized update to an application. This issue is fixed in version 5.1. It is possible to upload a package with insufficient permissions after a package was re-indexed. This issue is fixed in version 5.1.

Octopus Deploy 5.0.7 - 5.0.8 It is possible to upload a package with insufficient permissions after a package was re-indexed. This issue is fixed in version 5.1. An attacker could upload an unauthorized update to an application. This issue is fixed in version 5.1.

Octopus Deploy 5

Octopus Deploy 5.0.0 - 5.0.4

An attacker could upload an unauthorized update to an application. This issue is fixed in version 5.1.

Octopus Deploy 5.0.5 - 5.0.11 An attacker could upload an unauthorized update to an application. This issue is fixed in version 5.1. It is possible to upload a package with insufficient permissions after a package was re-indexed. This issue is fixed in version 5.1

Octopus Deploy 5.0 Installation Requirements

- Requires Microsoft Windows 2008 R2 SP1 or later.
- Requires .NET Framework 4.6 and above.
- Requires SQL Server 2012 or later for deployments to Azure SQL Database.

Octopus Deploy 5.0 Features

- Automatically deploy from your project's build artifacts
- Supports Windows, Linux and macOS
- Compatible with Docker and the App Container standard.
- Enforces security for its users.
- Out of the box support for continuous deployment with your choice of Jenkins, TeamCity, Bamboo or Gitlab CI servers.
- Includes a plugin that integrates with Microsoft Visual Studio Team Services (VSTS).

Octopus Deploy 5.0 Overview

Octopus Deploy 5.0 is a release focused on delivering the core functionality of previous releases and adding new features. The main focus of this release was to improve performance, ease of use, and scalability.

Improvements in performance included the ability to deploy more than one package at a time and reduce load times. This allows for faster deployments with fewer issues. Additionally, there is an improved interface that makes it easier to understand what packages are running and what has changed since last deployment.

The main changes in Octopus Deploy 5 included:
- Improved interface allowing users to easily see what changed since last deployment
- Ability to deploy more than one package at a time without needing to cancel existing deployments first
- New activation workflow that improves user experience

Octopus Deploy 5.0.6 - 5.0.7

An attacker could upload an unauthorized update to an application. This issue is fixed in version 5.1

Timeline

Published on: 09/09/2022 08:15:00 UTC
Last modified on: 09/15/2022 21:13:00 UTC

References

• https://advisories.octopus.com/post/2022/sa2022-13/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2528