From 5f2277ef563ad63a4fd245544a79836d2c632b4f Mon Sep 17 00:00:00 2001 From: OctoJames <82797967+OctoJames@users.noreply.github.com> Date: Fri, 19 Aug 2022 18:57:33 +1000 Subject: [PATCH 1/2] Updating CVE-2022-2074 --- 2022/2xxx/CVE-2022-2074.json | 71 ++++++++++++++++++++++++++++++++++-- 1 file changed, 68 insertions(+), 3 deletions(-) diff --git a/2022/2xxx/CVE-2022-2074.json b/2022/2xxx/CVE-2022-2074.json index 83b14092a2a..2d759c9bcbc 100644 --- a/2022/2xxx/CVE-2022-2074.json +++ b/2022/2xxx/CVE-2022-2074.json @@ -4,14 +4,79 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-2074", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@octopus.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Octopus Deploy", + "product": { + "product_data": [ + { + "product_name": "Octopus Server", + "version": { + "version_data": [ + { + "version_value": "0.9", + "version_affected": ">=" + }, + { + "version_value": "2022.1.2894", + "version_affected": "<" + }, + { + "version_value": "2022.2.6729", + "version_affected": ">=" + }, + { + "version_value": "2022.2.6872", + "version_affected": "<" + }, + { + "version_value": "2022.3.348", + "version_affected": ">=" + }, + { + "version_value": "2022.3.4953", + "version_affected": "<" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Regex Denial of Service" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://advisories.octopus.com/post/2022/sa2022-11/", + "refsource": "MISC", + "name": "https://advisories.octopus.com/post/2022/sa2022-11/" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template." } ] } From 3b27ea9d72174e83d8e71d840b5c6c962406ed36 Mon Sep 17 00:00:00 2001 From: OctoJames <82797967+OctoJames@users.noreply.github.com> Date: Fri, 19 Aug 2022 19:05:08 +1000 Subject: [PATCH 2/2] Updating CVE-2022-2075 --- 2022/2xxx/CVE-2022-2075.json | 71 ++++++++++++++++++++++++++++++++++-- 1 file changed, 68 insertions(+), 3 deletions(-) diff --git a/2022/2xxx/CVE-2022-2075.json b/2022/2xxx/CVE-2022-2075.json index 9aca4c67d06..10e7d0b6dfa 100644 --- a/2022/2xxx/CVE-2022-2075.json +++ b/2022/2xxx/CVE-2022-2075.json @@ -4,14 +4,79 @@ "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2022-2075", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security@octopus.com", + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Octopus Deploy", + "product": { + "product_data": [ + { + "product_name": "Octopus Server", + "version": { + "version_data": [ + { + "version_value": "0.9", + "version_affected": ">=" + }, + { + "version_value": "2022.1.2894", + "version_affected": "<" + }, + { + "version_value": "2022.2.6729", + "version_affected": ">=" + }, + { + "version_value": "2022.2.6872", + "version_affected": "<" + }, + { + "version_value": "2022.3.348", + "version_affected": ">=" + }, + { + "version_value": "2022.3.4953", + "version_affected": "<" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "Regex Denial of Service" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://advisories.octopus.com/post/2022/sa2022-12/", + "refsource": "MISC", + "name": "https://advisories.octopus.com/post/2022/sa2022-12/" + } + ] }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation." } ] }