CVE-2017-11348
CVE-2017-11348 is a medium-severity vulnerability in Octopus Octopus Deploy with a CVSS 3.x base score of 5.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-22.
Key facts
- Severity: Medium (CVSS 3.x base score 5.7)
- CVSS v2: 6.3
- EPSS exploit prediction: 1% (65th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-22
- Affected product: Octopus Octopus Deploy
- Published:
- Last modified:
Description
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
Frequently asked questions
- What is CVE-2017-11348?
- In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or modifying system files. This is a directory traversal in the PackageId value.
- How severe is CVE-2017-11348?
- CVE-2017-11348 has a CVSS 3.x base score of 5.7, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2017-11348 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (65th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2017-11348?
- CVE-2017-11348 primarily affects Octopus Octopus Deploy. In total, 192 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-11348?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2017-11348 published?
- CVE-2017-11348 was published on 2017-07-17 and last updated on 2026-06-17.
References
Affected products (192)
- cpe:2.3:a:octopus:octopus_deploy:3.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_deploy:3.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.0:beta0001:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.0:beta0002:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:octopus:octopus_server:3.1.12:*:*:*:*:*:*:*
More vulnerabilities in Octopus Octopus Deploy
- CVE-2020-10678 — High (CVSS 8.8): In Octopus Deploy before 2020.1.5, for customers running on-premises Active Directory linked to their Octopus server,…
- CVE-2018-5706 — High (CVSS 8.8): An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give…
- CVE-2018-4862 — High (CVSS 8.8): In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could…
- CVE-2017-17665 — High (CVSS 8.8): In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments.…
- CVE-2019-11632 — High (CVSS 8.1): In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the…
- CVE-2021-26556 — High (CVSS 7.8): When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an…
All CVEs affecting Octopus Octopus Deploy →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…