Certificate private keys downloadable when guest user has admin rights #3869
Labels
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Issue
See private issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/1282
CVE-2017-15610
When the special
Guest
user account is granted theCertificateExportPrivateKey
permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as theGuest
account and export Certificates managed by Octopus, including the private key.We generally recommend the
Guest
account is not granted these high-level permissions, but want to take the extra step to ensure private keys are never leaked to theGuest
user account.Affected Versions
Octopus
3.11.0
to3.17.6
. Fixed in Octopus3.17.7
.Implemented Solution
The special
Guest
account is specifically denied access to export certificates including the private key, even if theGuest
account has been granted theCertificateExportPrivateKey
permission.Fixed in https://github.com/OctopusDeploy/OctopusDeploy/pull/1384
The text was updated successfully, but these errors were encountered: