CVE-2022-1670: 
Octopus Deploy vulnerability analysis and mitigation

A vulnerability was discovered in Octopus Server (CVE-2022-1670) where users could bypass user invitation code restrictions. The vulnerability was discovered on July 21, 2021, and patched on March 24, 2022. The issue affects multiple versions of Octopus Server from version 0.x.x through 2022.1.x (before 2022.1.53) (Vendor Advisory).

When generating a user invitation code in Octopus Server, administrators could set the code's validity for a specific number of users. The vulnerability allowed attackers to bypass this restriction and create additional user accounts beyond the initially specified limit. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow unauthorized users to create additional user accounts beyond the intended limit set by administrators, potentially leading to unauthorized access to the Octopus Server system (Vendor Advisory).

The vulnerability has been fixed in Octopus Server versions 2022.1.53 and 2021.3.12533. Users are recommended to upgrade to version 2022.1.2584 or higher to address this security issue. There are no known mitigations other than upgrading to a fixed version (Vendor Advisory).