CVE-2019-15508

Published: Aug 23, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7.

Affected (2)

Products: Octopus: Server, Tentacle

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Octopus Server	From 3.0.8 to 2019.7.6
Octopus Tentacle	From 3.0.8 to 5.0.0

Related CWEs

Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (2)

https://github.com/OctopusDeploy/Issues/issues/5750

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://github.com/OctopusDeploy/Issues/issues/5750

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.