Tentacle TentacleProxyPassword logged in clear text when OctopusPrintVariables is set #5750
Closed
5 tasks done
Labels
area/security
kind/bug
This issue represents a verified problem we are committed to solving
LTS/2019.3
This issue affects 2019.3 LTS
LTS/2019.6
This issue affects 2019.6 LTS
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Prerequisites
Description
In certain limited circumstances, the password for a proxy configured via the Octopus Tentacle Manager may be logged in cleartext to the deployment log.
CVE:
CVE-2019-15508Affected versions
Octopus Tentacle: 3.0.8 to 5.0.0
Octopus Server: 3.0.8 to 2019.7.6
Mitigation
Only customers using a proxy which requires authentication are affected. Unfortunately, there are no good mitgations for this.
Workarounds
Unfortunately, nothing good.
Use of a transparent proxy over ones that require configuration is good practice.
Source
Source: [Internally reported]
The text was updated successfully, but these errors were encountered: