CVE-2017-11348

MEDIUM

Octopus Server - Path Traversal

Title source: rule

Description

In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.

References (1)

[Third Party Advisory] https://github.com/OctopusDeploy/Issues/issues/3654

Scores

CVSS v3 5.7

EPSS 0.0063

EPSS Percentile 70.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (50)

octopus/octopus_server

octopus/octopus_deploy

octopus/octopus_server

... and 40 more

Published Jul 17, 2017

Tracked Since Feb 18, 2026