Proxy password may be logged in clear text in certain circumstances #5739
Labels
area/security
kind/bug
This issue represents a verified problem we are committed to solving
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Relates to: OctopusDeploy/OctopusDeploy#4112.
Prerequisites
Description
In certain limited circumstances, the password for a proxy configured via the Octopus Server Manager may be logged in cleartext to the deployment log.
CVE: CVE-2019-14268
Affected versions
Octopus Server: 3.0.19 to 2019.7.3
Mitigation
Only customers using a proxy which requires authentication are affected. Unfortunately, there are no good mitgations for this.
Workarounds
Unfortunately, nothing good.
Use of a transparent proxy over ones that require configuration is good practice.
Source
Source: Internally reported
The text was updated successfully, but these errors were encountered: