CVE-2022-2013: 
Octopus Deploy vulnerability analysis and mitigation

CVE-2022-2013 is a broken access control vulnerability affecting Octopus Server versions after 2022.1.1495 and before 2022.1.2647. The vulnerability was discovered during internal testing at Octopus Deploy on May 18, 2022, and was patched on May 20, 2022. The issue allowed all new users to have access to the Script Console within their private space when private spaces were enabled via the experimental feature flag (Octopus Advisory).

The vulnerability has been assigned a CVSS score of 5.7, indicating a medium severity level. The issue specifically manifests when private spaces are enabled through an experimental feature flag, which incorrectly grants Script Console access to all new users within their private space. This represents a broken access control vulnerability that could potentially be exploited to gain unauthorized access to system functionality (Octopus Advisory).

The vulnerability could allow unauthorized users to access the Script Console functionality within their private spaces, potentially leading to security implications through unauthorized script execution. The issue affects both Linux and Microsoft Windows operating systems running the vulnerable versions of Octopus Server (Octopus Advisory).

The vulnerability has been fixed in Octopus Server version 2022.1.2647. Octopus Deploy recommends that all users upgrade to this version or later to address the security issue. There are no known mitigations for this vulnerability other than upgrading to a fixed version (Octopus Advisory).