CVE-2022-2760 in Deployinfo

Summary

by MITRE • 09/28/2022

In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/27/2026

The vulnerability identified as CVE-2022-2760 affects Octopus Deploy versions prior to 2022.2.5779, representing a critical information disclosure flaw that undermines the platform's access control mechanisms. This issue arises from improper error handling within the application's resource management system, where unauthorized users can inadvertently discover sensitive Space IDs through carefully crafted error responses. The vulnerability specifically manifests when attempting to access resources that belong to different Spaces, creating a scenario where the system reveals identifying information about restricted environments in its error messages.

The technical implementation of this flaw stems from the application's failure to properly sanitize error responses before returning them to clients. When a user attempts to access a resource that belongs to a Space they do not have permissions to view, the system generates an error message that includes the Space ID as part of the response. This occurs due to inadequate input validation and output sanitization processes within the Octopus Deploy platform's authentication and authorization framework. The vulnerability aligns with CWE-209, which addresses the disclosure of error messages that contain sensitive information, and represents a direct violation of the principle of least privilege that should govern all access control systems.

The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with crucial reconnaissance data that can be leveraged for further exploitation attempts. An attacker who discovers a valid Space ID through this vulnerability can then focus their efforts on targeting that specific environment, potentially leading to more severe consequences such as privilege escalation or unauthorized access to deployment configurations. The exposure of Space IDs enables threat actors to map the logical structure of deployment environments and identify potential targets for more sophisticated attacks. This vulnerability particularly affects organizations that maintain multiple Spaces within their Octopus Deploy environment, as it creates a systematic information leak that could compromise the security posture of their entire deployment infrastructure.

Organizations should implement immediate mitigations including updating to Octopus Deploy version 2022.2.5779 or later, which contains the necessary patches to address this vulnerability. The update process should be prioritized across all environments where Octopus Deploy is utilized, with particular attention to production systems that may be more exposed to external threats. Additional defensive measures include implementing network segmentation to limit access to deployment servers, enabling comprehensive logging of access attempts, and conducting regular security assessments to identify similar information disclosure vulnerabilities within the deployment pipeline. The remediation aligns with ATT&CK technique T1212, which focuses on information exposure through error messages, and organizations should consider implementing proper error handling protocols that prevent sensitive data leakage. Security teams should also establish monitoring procedures to detect unusual patterns of access attempts that may indicate exploitation of this vulnerability, ensuring that the platform's access controls function as intended while maintaining operational integrity.

Reservation

08/11/2022

Disclosure

09/28/2022

Moderation

accepted

CPE

ready

EPSS

0.00435

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!