Invalid request submitted to Team API can cause denial of service #6005
Assignees
Labels
kind/bug
This issue represents a verified problem we are committed to solving
Milestone
Comments
matt-richardson
added
the
kind/bug
matt-richardson
changed the title
|
This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
If a malformed request is submitted to the Team API, for either create or modify, the save is successful. However, the code that reads the team data isn't expecting the invalid data and hits a null reference exception.
Without that cache the server APIs cannot load permissions and return an error for all incoming requests. It isn't possible to create this situation through the portal, only through the API.
CVE: CVE-2019-19376
Relates to OctopusDeploy/OctopusDeploy#4740
The text was updated successfully, but these errors were encountered: