Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Hosted only) Local path configuration disclosed when uploading maliciously crafted package #5971

Closed
gupta-kartik opened this issue Nov 5, 2019 · 4 comments
Assignees
Labels
kind/bug This issue represents a verified problem we are committed to solving
Milestone

Comments

@gupta-kartik
Copy link

gupta-kartik commented Nov 5, 2019

Note: affects customers on Octopus Cloud hosted instances. For all other customers this was fixed in #5956

An authenticated user could upload a maliciously crafted package, triggering an exception that discloses details of the underlying operating system.

CVE: CVE-2019-19084

Relates to https://github.com/OctopusDeploy/OctopusDeploy/issues/4684

@gupta-kartik gupta-kartik added the kind/bug This issue represents a verified problem we are committed to solving label Nov 5, 2019
@gupta-kartik gupta-kartik self-assigned this Nov 5, 2019
@gupta-kartik gupta-kartik added this to the 2019.10.5 milestone Nov 5, 2019
@whereisaaron
Copy link

Uh oh, security vulnerability incoming... Should I cancel drinks on Friday? 🍺 😢

@gupta-kartik
Copy link
Author

@gupta-kartik
Copy link
Author

gupta-kartik commented Nov 7, 2019

Release Note: Fixed an information disclosure vulnerability during error handling of maliciously crafted packages on Octopus Cloud

@matt-richardson matt-richardson changed the title Placeholder Issue Local path configuration disclosed when uploading maliciously crafted package Nov 17, 2019
@gupta-kartik gupta-kartik changed the title Local path configuration disclosed when uploading maliciously crafted package (Hosted only) Local path configuration disclosed when uploading maliciously crafted package Nov 17, 2019
@lock
Copy link

lock bot commented Feb 16, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Feb 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug This issue represents a verified problem we are committed to solving
Projects
None yet
Development

No branches or pull requests

2 participants