CVE-2022-2828: 
Octopus Deploy vulnerability analysis and mitigation

In affected versions of Octopus Server, a vulnerability (CVE-2022-2828) was discovered that allows unauthorized users to obtain information about teams through the API due to an Insecure Direct Object Reference (IDOR) vulnerability. The vulnerability was discovered on August 16, 2022, and a patch was released on September 27, 2022. The affected versions include all 2022.1.x versions after 2022.1.2121 and before 2022.1.3135, all 2022.2.x versions before 2022.2.7897, and all 2022.3.x versions before 2022.3.10586 (Octopus Advisory).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) vulnerability that allows users without team permissions to access team information through API requests. The severity is rated as Medium with a CVSS score of 5.7. The vulnerability enables unauthorized access to team details including members, descriptions, and associated permissions (Octopus Advisory).

When exploited, the vulnerability allows unauthorized users to obtain sensitive information about teams, including team members, descriptions, and permissions associated with the teams. This information disclosure could potentially be used for further targeting or unauthorized access planning (Octopus Advisory).

There are no known mitigations for this vulnerability other than upgrading to a fixed version. Octopus Deploy recommends upgrading to version 2022.3.10640 or later. For users unable to upgrade to the latest version, specific version upgrades are recommended: 2022.1.3135 for 2022.1.x users, 2022.2.7897 for 2022.2.x users, and 2022.3.10586 for 2022.3.x users (Octopus Advisory).