Self-hosted Octopus susceptible to host-header injection attacks #6622
Labels
area/security
kind/bug
This issue represents a verified problem we are committed to solving
kind/patch-release-note
Do not use this label anymore
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Are you a customer of Octopus Deploy? Don't raise the issue here. Please contact our security team so we can triage your report, making sure it's handled appropriately.
Prerequisites
Description
The HTTP to HTTPS redirection middleware will accept the given
Host
header to generate the redirection URL. This can be exploited to hijack requests when Octopus is behind a caching reverse-proxy.Affected versions
Octopus Server: 2019.8.2 to Current
Links
CVE: CVE-2020-26161
Internal Issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/7351
PR: https://github.com/OctopusDeploy/OctopusDeploy/pull/7353
The text was updated successfully, but these errors were encountered: