Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-hosted Octopus susceptible to host-header injection attacks #6622

Closed
5 tasks done
johnsimons opened this issue Oct 11, 2020 · 3 comments
Closed
5 tasks done

Self-hosted Octopus susceptible to host-header injection attacks #6622

johnsimons opened this issue Oct 11, 2020 · 3 comments
Assignees
@johnsimons
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving kind/patch-release-note Do not use this label anymore priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
2020.4.3

Comments

@johnsimons
Copy link

johnsimons commented Oct 11, 2020
edited
Loading

Are you a customer of Octopus Deploy? Don't raise the issue here. Please contact our security team so we can triage your report, making sure it's handled appropriately.

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

The HTTP to HTTPS redirection middleware will accept the given Host header to generate the redirection URL. This can be exploited to hijack requests when Octopus is behind a caching reverse-proxy.

Affected versions

Octopus Server: 2019.8.2 to Current

Links

CVE: CVE-2020-26161
Internal Issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/7351
PR: https://github.com/OctopusDeploy/OctopusDeploy/pull/7353
@johnsimons johnsimons added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security labels Oct 11, 2020
@johnsimons johnsimons added this to the 2020.4.3 milestone Oct 11, 2020
@johnsimons johnsimons self-assigned this Oct 11, 2020
@johnsimons
Copy link
Author

johnsimons commented Oct 11, 2020
edited
Loading

Release Note: Fix bug where Self-hosted Octopus susceptible to host-header injection attacks (CVE-2020-26161)

@maulda
Copy link

maulda commented Oct 13, 2020

Hello, is the CVE-2020-25825 used twice ? Because it is already mentioned and assigned in #6604.

@johnsimons
Copy link
Author

@pencil-vester, good catch, fixed link. Cheers

@matt-richardson matt-richardson added the kind/patch-release-note Do not use this label anymore label Jan 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnsimons johnsimons

Labels
area/security kind/bug This issue represents a verified problem we are committed to solving kind/patch-release-note Do not use this label anymore priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Milestone
2020.4.3
Development

No branches or pull requests
3 participants
@johnsimons @matt-richardson @maulda