CVE-2019-19375

Published: Nov 28, 2019Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)

Affected (3)

Products: Octopus: Octopus Deploy

Octopus

1 product

Octopus Deploy

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Octopus Octopus Deploy	Before 2019.10.7
Octopus Octopus Deploy	From 2019.6.0 to 2019.6.14
Octopus Octopus Deploy	From 2019.9.0 to 2019.9.8

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/OctopusDeploy/Issues/issues/5998

Source: cve@mitre.org

Third Party Advisory

https://github.com/OctopusDeploy/Issues/issues/5998

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.