Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tentacle TentacleProxyPassword logged in clear text when OctopusPrintVariables is set #5750

Closed
5 tasks done
flin-8 opened this issue Aug 1, 2019 · 1 comment
Closed
5 tasks done
Assignees
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving LTS/2019.3 This issue affects 2019.3 LTS LTS/2019.6 This issue affects 2019.6 LTS priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone

Comments

@flin-8
Copy link

flin-8 commented Aug 1, 2019

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

In certain limited circumstances, the password for a proxy configured via the Octopus Tentacle Manager may be logged in cleartext to the deployment log.

CVE: CVE-2019-15508

Affected versions

Octopus Tentacle: 3.0.8 to 5.0.0
Octopus Server: 3.0.8 to 2019.7.6

Mitigation

Only customers using a proxy which requires authentication are affected. Unfortunately, there are no good mitgations for this.

Workarounds

Unfortunately, nothing good.
Use of a transparent proxy over ones that require configuration is good practice.

Source

Source: [Internally reported]

@flin-8 flin-8 added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security labels Aug 1, 2019
@flin-8 flin-8 added this to the 2019.7.7 milestone Aug 6, 2019
@flin-8 flin-8 self-assigned this Aug 6, 2019
@flin-8 flin-8 closed this as completed Aug 6, 2019
@flin-8 flin-8 changed the title Placeholder for #138 master Addressed security issue, details TBA Aug 7, 2019
@flin-8 flin-8 changed the title Addressed security issue, details TBA Tentacle TentacleProxyPassword logged in clear text when OctopusPrintVariables is set Aug 16, 2019
@flin-8 flin-8 added LTS/2019.3 This issue affects 2019.3 LTS LTS/2019.6 This issue affects 2019.6 LTS labels Aug 16, 2019
@lock
Copy link

lock bot commented Jan 28, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving LTS/2019.3 This issue affects 2019.3 LTS LTS/2019.6 This issue affects 2019.6 LTS priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Development

No branches or pull requests

1 participant