CVE-2022-2783: 
Octopus Deploy vulnerability analysis and mitigation

In affected versions of Octopus Server, a vulnerability (CVE-2022-2783) was identified where a session cookie could be used as the CSRF token. The vulnerability was discovered on August 11, 2022, and a patch was released on September 9, 2022. The affected versions include all 3.x versions after 3.12.0, all 4.x versions, all 2018.x through 2021.x versions, 2022.1.x versions before 2022.1.3154, 2022.2.x versions before 2022.2.7897, and 2022.3.x versions before 2022.3.10586 (Octopus Advisory).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) weakness (CWE-352). According to the National Vulnerability Database, it received a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD).

The vulnerability could lead to unauthorized state-changing HTTP requests to Octopus Server, potentially allowing attackers to modify system state without proper authorization (Octopus Advisory).

To address this vulnerability, Octopus Deploy released patched versions: 2022.1.3154, 2022.2.7897, and 2022.3.10586. The recommended action is to upgrade to the latest version (2022.3.10594 or higher). There are no known mitigations for this vulnerability other than upgrading to a fixed version (Octopus Advisory).