Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Helm chart download can leak feed password #6438

Closed
5 tasks done
matt-richardson opened this issue Jun 19, 2020 · 5 comments
Closed
5 tasks done

Helm chart download can leak feed password #6438

matt-richardson opened this issue Jun 19, 2020 · 5 comments
Assignees
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone

Comments

@matt-richardson
Copy link
Contributor

matt-richardson commented Jun 19, 2020

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

In certain circumstances, downloading a package from the helm feed can leak the feed password to a deployment log. This means that an authenticated user could see a password that they would potentially not be authorized to view.

Affected versions

Octopus Server: 2018.8.0 - 2019.12.1

Mitigation

Not a lot of good options here:

  • Upgrade to 2019.12.2+
  • rotate feed passwords on a regular basis

Workarounds

None known.

CVE

CVE-2020-14470

@matt-richardson matt-richardson added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security labels Jun 19, 2020
@matt-richardson matt-richardson added this to the 2019.12.2 milestone Jun 19, 2020
@matt-richardson matt-richardson self-assigned this Jun 19, 2020
@matt-richardson
Copy link
Contributor Author

@octoreleasebot
Copy link

octoreleasebot commented Jun 19, 2020

Release Note: Fixed potential leakage of feed password into deployment log (CVE-2020-14470)

@matt-richardson
Copy link
Contributor Author

That link points to a private repo.

@galaktipus
Copy link

Thanks @matt-richardson , is there any commit that is visible and not part of a private repo to fix the above vulnerability?

@matt-richardson
Copy link
Contributor Author

There is no public commit - Octopus Deploy is closed source.

Can I ask your interest here? If I can understand what you're trying to discover, I might be able to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Development

No branches or pull requests

3 participants