CVE-2022-2346: 
Octopus Deploy vulnerability analysis and mitigation

In affected versions of Octopus Deploy, a vulnerability (CVE-2022-2346) was discovered that allows low privileged guest users to interact with extension endpoints. The vulnerability was discovered on August 21, 2022, and a patch was released on July 21, 2023. The affected systems include all Octopus Server versions from 2019.4.x through 2022.4.x (before 2022.4.9997), 2023.1.x (before 2023.1.10235), and 2023.2.x (before 2023.2.10545) (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) by Octopus Deploy with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L. The NVD assessment differs slightly with a CVSS score of 4.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges for exploitation (NVD).

The vulnerability could result in low-level impacts on confidentiality, integrity, and availability of the system when exploited by a low-privileged guest user. The specific impact involves unauthorized interaction with extension endpoints, potentially compromising system security controls (Vendor Advisory).

Octopus Deploy recommends upgrading to version 2023.2.13113 or higher to address this vulnerability. For users unable to upgrade to the latest version, specific version upgrades are provided: 2022.4.9997, 2023.1.10235, or 2023.2.10545. There are no known alternative mitigations for this vulnerability, making it crucial to upgrade to a fixed version as soon as possible (Vendor Advisory).