Invalid request submitted to Team API can cause denial of service #6005
Labels
kind/bug
This issue represents a verified problem we are committed to solving
Milestone
If a malformed request is submitted to the Team API, for either create or modify, the save is successful. However, the code that reads the team data isn't expecting the invalid data and hits a null reference exception.
Without that cache the server APIs cannot load permissions and return an error for all incoming requests. It isn't possible to create this situation through the portal, only through the API.
CVE: CVE-2019-19376
Relates to OctopusDeploy/OctopusDeploy#4740
The text was updated successfully, but these errors were encountered: