CVE-2023-2247: 
Octopus Deploy vulnerability analysis and mitigation

A vulnerability in Octopus Deploy (CVE-2023-2247) was discovered on November 10, 2022, and patched on April 6, 2023. The vulnerability allows the unmasking of variable secrets through the variable preview function, affecting multiple versions of Octopus Server including all 2018.3.x through 2021.x.x versions, and specific versions of 2022.x.x series before 2022.3.10929 and 2022.4.8319 (Octopus Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in low-level confidentiality impact without affecting integrity or availability (NVD).

The vulnerability allows attackers to expose sensitive variable secrets through the variable preview functionality, potentially compromising the confidentiality of sensitive information stored in the system (Octopus Advisory).

Octopus Deploy recommends upgrading to version 2023.1.9794 or later to address this vulnerability. For users unable to upgrade to the latest version, specific version upgrades are recommended: users on 2018.3.x through 2022.2.x should upgrade to 2022.3.10929 or greater, while users on 2022.4.x should upgrade to 2022.4.8319 or greater. There are no known alternative mitigations (Octopus Advisory).