Strix
26.1K

CVE-2022-2049

HIGHCVSS 7.5/10EPSS 0.66%

Last modified

CVE-2022-2049 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.. EPSS estimates a 0.66% chance of exploitation in the next 30 days.

Description

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.66%

46.7th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
OctopusOctopus Server>= 0.9, <= 0.9.620.4
OctopusOctopus Server>= 1.0, <= 1.6.3.1723
OctopusOctopus Server>= 2.0, <= 2.6.5
OctopusOctopus Server>= 3.0.0, <= 3.17.14
OctopusOctopus Server>= 4.0.4, <= 4.1.10
OctopusOctopus Server>= 2018.1.0, <= 2018.12.1
OctopusOctopus Server>= 2019.1.0, <= 2019.13.7
OctopusOctopus Server>= 2020.1.0, <= 2020.6.5449
OctopusOctopus Server>= 2021.1.6959, <= 2021.3.13021
OctopusOctopus Server>= 2022.1.0, < 2022.1.2894
OctopusOctopus Server>= 2022.2.6729, < 2022.2.6872
OctopusOctopus Server>= 2022.3.348, < 2022.3.4953

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-2049?
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
How severe is CVE-2022-2049?
CVE-2022-2049 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.66% probability of exploitation in the next 30 days.
How do I fix CVE-2022-2049?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-2049?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST