Vulnerability identifier: #VU30573
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Octopus Deploy
Server applications /
Application servers
Vendor: Octopus Deploy
Description
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14.)
Mitigation
Install update from vendor's website.
Vulnerable software versions
Octopus Deploy: 2019.9.0 - 2019.9.7
External links
http://github.com/OctopusDeploy/Issues/issues/6005
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.