Sensitive variables can be written in clear-text when using Offline Drop targets #3868
Labels
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Issue
See private issue for more details: https://github.com/OctopusDeploy/OctopusDeploy/issues/1378
CVE-2017-15610
Sensitive variable value is written to variable file as clear text.
Offline drop deployments generate two variable JSON files: one for normal variables which are written in clear-text, and one for sensitive variables which is encrypted using the Offline Drop Target's encryption password.
If any variable is sensitive, Octopus requires any Offline Drop Target to specify a valid encryption password, and any sensitive values will be encrypted into that file.
If your project uses complex nested bindings, the resulting values can be treated as non-sensitive and written to the clear-text variables file.
If an attacker can gain access to these offline drop files, they can gain the sensitive data without needing to decrypt it.
Affected versions
This affects Octopus
3.2.5
up to3.17.6
, and is fixed in Octopus3.17.7
.Implemented solution
We now use the configuration of the Offline Drop Target as the switch. If the user has configured an encryption password, they have opted-in to have all their variables encrypted, regardless of whether there are any sensitive values or not.
Fixed by https://github.com/OctopusDeploy/OctopusDeploy/pull/1382
The text was updated successfully, but these errors were encountered: