CVE-2022-2760: 
Octopus Deploy vulnerability analysis and mitigation

In affected versions of Octopus Deploy, a vulnerability (CVE-2022-2760) was discovered that allows the exposure of Space ID information through error messages. The vulnerability affects versions after 2019.5.7, including all 2020.x and 2021.x versions, 2022.1.x versions before 2022.1.3180, 2022.2.x versions before 2022.2.7965, and 2022.3.x versions before 2022.3.10586. The issue was discovered during internal testing by Scott Merchant at Octopus Deploy (Octopus Advisory).

The vulnerability allows unauthorized users to view Space IDs of spaces they don't have access to when a resource is part of another Space. This information exposure occurs through error messages displayed by the system. The vulnerability has been assigned a low severity rating according to Octopus Deploy's severity levels (Octopus Advisory).

The impact of this vulnerability is limited to the exposure of Space ID information through error messages when users attempt to access resources in spaces they don't have permission to view. While this represents an information disclosure issue, the severity is considered low due to the limited nature of the exposed information (Octopus Advisory).

The vulnerability has been fixed in versions 2022.1.3180, 2022.2.7965, and 2022.3.10586. Octopus Deploy recommends upgrading to the latest version (2022.3.10594). There are no known mitigations for this vulnerability other than upgrading to a fixed version (Octopus Advisory).