Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF cookie sometimes missing secure attribute #5998

Closed
matt-richardson opened this issue Nov 14, 2019 · 2 comments
Closed

CSRF cookie sometimes missing secure attribute #5998

matt-richardson opened this issue Nov 14, 2019 · 2 comments
Assignees
Labels
kind/bug This issue represents a verified problem we are committed to solving
Milestone

Comments

@matt-richardson
Copy link
Contributor

matt-richardson commented Nov 14, 2019

When Octopus is configured to behind a load balancer, and SSL offloading is configured, Octopus will sometimes send the CSRF cookie without the secure attribute.

CVE: CVE-2019-19375

Relates to https://github.com/OctopusDeploy/OctopusDeploy/issues/4763

@matt-richardson matt-richardson added the kind/bug This issue represents a verified problem we are committed to solving label Nov 14, 2019
@matt-richardson
Copy link
Contributor Author

@octoreleasebot octoreleasebot added this to the 2019.10.7 milestone Nov 14, 2019
@matt-richardson matt-richardson changed the title Placeholder issue CSRF cookie sometimes missing secure attribute Nov 28, 2019
@lock
Copy link

lock bot commented Feb 28, 2020

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Feb 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug This issue represents a verified problem we are committed to solving
Projects
None yet
Development

No branches or pull requests

2 participants