CVE-2018-18900: Sensitive output variables appear unmasked in task logs #5047
Incorrect access control in Octopus Deploy 2018.5.2 through 2018.9.2 allows remote authenticated users to gain access to sensitive variables via deployment task logs.
Sensitive variables that have been output using the
The leak only occurs when the variable is output in a child step. For example:
This affects versions of Octopus since the introduction of sensitive output variables in 2018.5.2. The issue has been resolved in 2018.9.2.
Internal issue: OctopusDeploy/OctopusDeploy#3056