In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Octopus_server | Octopus | 3.5 (including) | 2022.1.3264 (excluding) |
Octopus_server | Octopus | 2022.2.6729 (including) | 2022.2.8277 (excluding) |
Octopus_server | Octopus | 2022.3.348 (including) | 2022.3.10586 (excluding) |
Octopus_server | Octopus | 2022.4.791 (including) | 2022.4.2898 (excluding) |