Octopus Deploy security advisories contain a severity level of either critical, high, medium or low. The security level is based off a self-calculated CVSS V3 score, which is an industry standard vulnerability metric. We use the following severity rating system:
Please keep in mind these ratings do not take into account details of your specific installation and should be used only as a guide.
|CVSS V3 Score Range||Severity Level||Remediation Time Frame|
|9.0 - 10.0||Critical||14 days|
|7.0 - 8.9||High||30 days|
|4.0 - 6.9||Medium||60 days|
|0.1 - 3.9||Low||90 days|
Severity level: Critical
Vulnerabilities that score in the critical range usually have the following characteristics:
Exploitation of the vulnerability likely results in root-level compromise of the server.
Exploitation is usually straightforward meaning an attacker doesn’t need any authentication information and doesn’t need to persuade a target to perform an action such as using social engineering.
Severity level: High
Vulnerabilities that score in the high range usually have the following characteristics:
The vulnerability is difficult to exploit meaning an attacker may need an existing foothold.
Exploitation could result in elevated privilege within the application or on the server.
Exploitation could result in a significant data loss or downtime.
Severity level: Medium
Vulnerabilities that score in the medium range usually have the following characteristics:
Vulnerabilities that require the attacker to manipulate individual victims via social engineering.
Denial of service vulnerabilities that are difficult to set up.
Exploits that require an attacker to reside on the same local network as the victim.
Vulnerabilities where exploitation provides only very limited access.
Vulnerabilities that require user privileges for successful exploitation.
Severity level: Low
Vulnerabilities in the low range typically have little impact on a business. Exploitation of low level vulnerabilities may only provide information about a system or require the attacker to have local or physical access to a device to exploit.