Enforce obfuscation in deployment logs of sensitive variables contributed via machines (CVE-2018-11320)
#4578
Labels
area/security
kind/bug
This issue represents a verified problem we are committed to solving
tag/regression
This issue was addressed and shipped, but subsequently broken in another release
Milestone
When an Azure Target is involved in a deployment, the sensitive account variables linked to it are not obfuscated in the logs.
Steps to reproduce
Azure SubscriptionaccountAzure WebApptarget that uses the previously created accountDeploy Azure WebAppstep that uses the same role as the previously created target.OctopusPrintVariablesto the project.What you expect to see
The printed log should show
*******as the value of the variableOctopus.Action.Azure.PasswordWhat you see instead
The actual value of the azure password is printed to the logs
Octopus releases with this regression bug
This issue came about with a changed execution pipeline which was available from
2018.3.8however this code path that led to this bug would not have been commonly executed until the Azure targets introduced in2018.5.0CVE
CVE-2018-11320The text was updated successfully, but these errors were encountered: