Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Hosted only) Local path configuration disclosed when uploading maliciously crafted package #5971

Closed
gupta-kartik opened this issue Nov 5, 2019 · 3 comments
Assignees
Labels
Milestone

Comments

@gupta-kartik
Copy link

@gupta-kartik gupta-kartik commented Nov 5, 2019

Note: affects customers on Octopus Cloud hosted instances. For all other customers this was fixed in #5956

An authenticated user could upload a maliciously crafted package, triggering an exception that discloses details of the underlying operating system.

CVE: CVE-2019-19084

Relates to OctopusDeploy/OctopusDeploy#4684

@gupta-kartik gupta-kartik self-assigned this Nov 5, 2019
@gupta-kartik gupta-kartik added this to the 2019.10.5 milestone Nov 5, 2019
@whereisaaron

This comment has been minimized.

Copy link

@whereisaaron whereisaaron commented Nov 5, 2019

Uh oh, security vulnerability incoming... Should I cancel drinks on Friday? 🍺 😢

@gupta-kartik

This comment has been minimized.

Copy link
Author

@gupta-kartik gupta-kartik commented Nov 7, 2019

@gupta-kartik

This comment has been minimized.

Copy link
Author

@gupta-kartik gupta-kartik commented Nov 7, 2019

Release Note: Fixed an information disclosure vulnerability during error handling of maliciously crafted packages on Octopus Cloud

@matt-richardson matt-richardson changed the title Placeholder Issue Local path configuration disclosed when uploading maliciously crafted package Nov 17, 2019
@gupta-kartik gupta-kartik changed the title Local path configuration disclosed when uploading maliciously crafted package (Hosted only) Local path configuration disclosed when uploading maliciously crafted package Nov 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.