Closed
Description
Relates to: OctopusDeploy/OctopusDeploy#4112.
Prerequisites
- We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
- I have raised a CVE according to our CVE process
- I have written a descriptive issue title
- I have linked the original source of this report
- I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)
Description
In certain limited circumstances, the password for a proxy configured via the Octopus Server Manager may be logged in cleartext to the deployment log.
CVE: CVE-2019-14268
Affected versions
Octopus Server: 3.0.19 to 2019.7.3
Mitigation
Only customers using a proxy which requires authentication are affected. Unfortunately, there are no good mitgations for this.
Workarounds
Unfortunately, nothing good.
Use of a transparent proxy over ones that require configuration is good practice.
Source
Source: Internally reported