Lucene search

K
cveMitreCVE-2019-15507
HistoryAug 23, 2019 - 6:15 a.m.

CVE-2019-15507

2019-08-2306:15:10
CWE-312
CWE-532
mitre
web.nvd.nist.gov
36
2
octopus deploy
insecure configuration
cve-2019-15507
web request proxy
cleartext password
deployment security
lts 2019.6.7
lts 2019.3.8

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

28.4%

In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8.

Affected configurations

Nvd
Node
octopusserverRange2018.8.42019.7.6
VendorProductVersionCPE
octopusserver*cpe:2.3:a:octopus:server:*:*:*:*:*:*:*:*

Social References

More

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

28.4%

Related for CVE-2019-15507