CVE-2022-1881: 
Octopus Deploy vulnerability analysis and mitigation

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in Octopus Server that allows users to download Project Exports from projects they don't have permissions to access within the same Space. The vulnerability was assigned CVE-2022-1881 and was discovered on May 16, 2022, with patches released on June 15, 2022 (Octopus Advisory).

The vulnerability is an Insecure Direct Object Reference (IDOR) issue that affects multiple versions of Octopus Server including all 2021.1.x, 2021.2.x, 2021.3.x versions before 2021.3.13021, all 2022.1.x versions before 2022.1.2894, all 2022.2.x versions before 2022.2.6971, and all 2022.3.x versions before 2023.3.2616. The vulnerability has been assigned a CVSS score of 6.5, indicating medium severity (Octopus Advisory).

The vulnerability allows unauthorized users to access Project Exports from projects they don't have permissions to access, but only within the same Space. This could lead to unauthorized access to sensitive project information (Octopus Advisory).

There are no known mitigations for this vulnerability. Organizations are strongly advised to upgrade to the fixed versions: 2021.3.13021, 2022.1.2894, 2022.2.6971, or 2022.3.2616. The latest version can be downloaded from the Octopus Deploy website (Octopus Advisory).