Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxy password may be logged in clear text in certain circumstances #5739

Closed
matt-richardson opened this issue Jul 25, 2019 · 2 comments

Comments

@matt-richardson
Copy link
Contributor

commented Jul 25, 2019

Relates to: OctopusDeploy/OctopusDeploy#4112.

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

In certain limited circumstances, the password for a proxy configured via the Octopus Server Manager may be logged in cleartext to the deployment log.

CVE: CVE-2019-14268

Affected versions

Octopus Server: 3.0.19 to 2019.7.3

Mitigation

Only customers using a proxy which requires authentication are affected. Unfortunately, there are no good mitgations for this.

Workarounds

Unfortunately, nothing good.
Use of a transparent proxy over ones that require configuration is good practice.

Source

Source: Internally reported

@matt-richardson

This comment has been minimized.

Copy link
Contributor Author

commented Jul 25, 2019

@octoreleasebot

This comment has been minimized.

Copy link

commented Jul 25, 2019

Release Note: Fixed issue where proxy password was in certain circumstances rendered as clear text in deployment log

@matt-richardson matt-richardson changed the title Placeholder Proxy password may be logged in clear text in certain circumstances Jul 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.