In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Octopus_server | Octopus | 2022.3.348 | * |
Octopus_server | Octopus | 3.5 | * |
Octopus_server | Octopus | 2022.4.791 | * |
Octopus_server | Octopus | 2022.2.6729 | * |