In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages.
During installation, installed file permissions are set to allow anyone to modify those files.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Octopus_server | Octopus | 3.0.0 (including) | 4.1.10 (including) |
Octopus_server | Octopus | 2018.1.0 (including) | 2021.3.13021 (including) |
Octopus_server | Octopus | 2022.1.0 (including) | 2022.1.3106 (excluding) |
Octopus_server | Octopus | 2022.2.6729 (including) | 2022.2.7718 (excluding) |
Octopus_server | Octopus | 2022.3.348 (including) | 2022.3.7782 (excluding) |