CVE-2022-2572 In affected versions of Octopus Server, it was possible that the API key/keys of a deleted user were still valid.

As a result, it was possible for that user or group to request access to the API via the management interface. Fixed in Version 3.8.12.

It was possible to create a new user with a disabled/deleted role.

When creating a disabled/deleted user, the password was not validated. As a result, unencrypted passwords were now being stored. Updating the table_privileges to only grant users the ‘create_user’ privilege fixed this issue.

When creating a disabled/deleted user, the password was not validated. As a result, unencrypted passwords were now being stored. Updating the table_privileges to only grant users the ‘create_user’ privilege fixed this issue. When creating a new user with a disabled/deleted role, the role was not validated. As a result, unencrypted passwords were now being stored. Updating the table_privileges to only grant users the ‘create_user’ privilege fixed this issue.

When updating a disabled/deleted user, the password was not validated. As a result, unencrypted passwords were now being stored. Updating the table_privileges to only grant users the ‘create_user’ privilege fixed this issue. It was possible that a disabled/deleted user could be granted access to the API.

When deleting a disabled/deleted user, the role was

What is Kerberos?

Kerberos is an authentication protocol that allows you to use one identity (such as a username and password) to access multiple computers or applications without needing to type in your password for each computer or application. This includes accessing websites, services, and data that are hosted on the Internet.

What is Apache Shiro?

Apache Shiro is an open-source, Java web application security framework that provides a comprehensive set of features for securing web applications. Shiro can be used to secure any Java EE application or servlet container. The project is sponsored by the Apache Software Foundation (ASF).

Shiro can help with:

- Code signing and encryption of sensitive data
- Authentication and authorization of users, devices and external services
- Encryption of passwords, tokens and other secret data
- Cybersecurity policies and enforcement

Timeline

Published on: 11/01/2022 02:15:00 UTC
Last modified on: 11/01/2022 19:11:00 UTC

References

• https://advisories.octopus.com/post/2022/sa2022-23/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2572