Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensitive values may be exposed in some circumstances via variable preview - CVE-2019-15698 #5810

Closed
5 tasks done
matt-richardson opened this issue Aug 27, 2019 · 3 comments
Closed
5 tasks done

Sensitive values may be exposed in some circumstances via variable preview - CVE-2019-15698 #5810

matt-richardson opened this issue Aug 27, 2019 · 3 comments
Assignees
@matt-richardson
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
2019.7.10

Comments

@matt-richardson
Copy link
Contributor

matt-richardson commented Aug 27, 2019
edited

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

In certain circumstances, an authenticated user with VariableView permissions could view sensitive values via the improved variable preview shipped in 2019.7.3. Introduced in #4394.

Affected versions

** Octopus Server** 2019.7.3 - 2019.7.9

Mitigation

Nothing great.

Workarounds

  • Upgrade to Octopus 2019.7.10+
  • Limit users with VariableView permission
  • Ensure all variables that reference a secure variable are themselves marked as sensitive
  • Use subscriptions to track modifications to variables to audit access.

Links

Source: internally reported.
Internal issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/4232
@matt-richardson matt-richardson added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security labels Aug 27, 2019
@matt-richardson matt-richardson added this to the 2019.7.10 milestone Aug 27, 2019
@matt-richardson matt-richardson self-assigned this Aug 27, 2019
@matt-richardson
Copy link
Contributor Author

Shipped in 2019.7.10

@octoreleasebot
Copy link

Release Note: Fixed an issue where in some circumstances, sensitive variables could be exposed in the variable preview

@matt-richardson matt-richardson changed the title Sensitive values may be exposed in some circumstances via variable preview Sensitive values may be exposed in some circumstances via variable preview - CVE-2019-15698 Aug 27, 2019
@lock
Copy link

lock bot commented Nov 26, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@matt-richardson matt-richardson

Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Milestone
2019.7.10
Development

No branches or pull requests
2 participants
@matt-richardson @octoreleasebot