Skip to content

Proxy password may be logged in clear text in certain circumstances #5739

Closed
@matt-richardson

Description

@matt-richardson

Relates to: OctopusDeploy/OctopusDeploy#4112.

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

In certain limited circumstances, the password for a proxy configured via the Octopus Server Manager may be logged in cleartext to the deployment log.

CVE: CVE-2019-14268

Affected versions

Octopus Server: 3.0.19 to 2019.7.3

Mitigation

Only customers using a proxy which requires authentication are affected. Unfortunately, there are no good mitgations for this.

Workarounds

Unfortunately, nothing good.
Use of a transparent proxy over ones that require configuration is good practice.

Source

Source: Internally reported

Metadata

Metadata

Labels

area/securitykind/bugThis issue represents a verified problem we are committed to solvingpriority(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions