Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxy password may be logged in clear text in certain circumstances #5739

Closed
5 tasks done
matt-richardson opened this issue Jul 25, 2019 · 3 comments
Closed
5 tasks done
Assignees
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone

Comments

@matt-richardson
Copy link
Contributor

matt-richardson commented Jul 25, 2019

Relates to: OctopusDeploy/OctopusDeploy#4112.

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

In certain limited circumstances, the password for a proxy configured via the Octopus Server Manager may be logged in cleartext to the deployment log.

CVE: CVE-2019-14268

Affected versions

Octopus Server: 3.0.19 to 2019.7.3

Mitigation

Only customers using a proxy which requires authentication are affected. Unfortunately, there are no good mitgations for this.

Workarounds

Unfortunately, nothing good.
Use of a transparent proxy over ones that require configuration is good practice.

Source

Source: Internally reported

@matt-richardson matt-richardson added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security labels Jul 25, 2019
@matt-richardson matt-richardson added this to the 2019.7.3 milestone Jul 25, 2019
@matt-richardson matt-richardson self-assigned this Jul 25, 2019
@matt-richardson
Copy link
Contributor Author

@octoreleasebot
Copy link

octoreleasebot commented Jul 25, 2019

Release Note: Fixed issue where proxy password was in certain circumstances rendered as clear text in deployment log

@matt-richardson matt-richardson changed the title Placeholder Proxy password may be logged in clear text in certain circumstances Jul 25, 2019
@lock
Copy link

lock bot commented Oct 24, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Oct 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Development

No branches or pull requests

2 participants