Certificate private keys downloadable when guest user has admin rights #3869
Labels
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Issue
See private issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/1282
CVE-2017-15610
When the special
Guestuser account is granted theCertificateExportPrivateKeypermission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as theGuestaccount and export Certificates managed by Octopus, including the private key.We generally recommend the
Guestaccount is not granted these high-level permissions, but want to take the extra step to ensure private keys are never leaked to theGuestuser account.Affected Versions
Octopus
3.11.0to3.17.6. Fixed in Octopus3.17.7.Implemented Solution
The special
Guestaccount is specifically denied access to export certificates including the private key, even if theGuestaccount has been granted theCertificateExportPrivateKeypermission.Fixed in https://github.com/OctopusDeploy/OctopusDeploy/pull/1384
The text was updated successfully, but these errors were encountered: