Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-18900: Sensitive output variables appear unmasked in task logs #5047

Closed
tothegills opened this issue Nov 1, 2018 · 1 comment

Comments

@tothegills
Copy link

commented Nov 1, 2018

Summary

Incorrect access control in Octopus Deploy 2018.5.2 through 2018.9.2 allows remote authenticated users to gain access to sensitive variables via deployment task logs.

Impact

Sensitive variables that have been output using the Set-OctopusVariable -Name "SensitiveOutput" -Value "IAmSecret" -Sensitive syntax can be leaked to anyone with access to view the task logs of a deployment. The variable can be leaked inadvertently if the deployment writes the variable to an output stream that is then parsed into the task log by Octopus, or deliberately by retrieving the value of the variable using the $OctopusParameters["Octopus.Action[Output].Output.SensitiveOutput"] syntax and writing it to an output stream.

The leak only occurs when the variable is output in a child step. For example:

image

Affected versions

This affects versions of Octopus since the introduction of sensitive output variables in 2018.5.2. The issue has been resolved in 2018.9.2.

Internal issue: OctopusDeploy/OctopusDeploy#3056

@tothegills tothegills self-assigned this Nov 1, 2018
@tothegills tothegills changed the title CVE Placeholder CVE-2018-18900: Sensitive output variables appear unmasked in task logs Nov 4, 2018
@tothegills tothegills added this to the 2018.9.2 milestone Nov 4, 2018
@tothegills tothegills closed this Nov 4, 2018
@octoreleasebot octoreleasebot removed this from the 2018.9.2 milestone Nov 4, 2018
@tothegills tothegills added this to the 2018.9.2 milestone Nov 5, 2018
@lock

This comment has been minimized.

Copy link

commented Feb 3, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Feb 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
2 participants
You can’t perform that action at this time.