Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self-hosted Octopus susceptible to host-header injection attacks #6627

Closed
5 tasks done
johnsimons opened this issue Oct 13, 2020 · 1 comment
Closed
5 tasks done

Self-hosted Octopus susceptible to host-header injection attacks #6627

johnsimons opened this issue Oct 13, 2020 · 1 comment
Assignees
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone

Comments

@johnsimons
Copy link

Are you a customer of Octopus Deploy? Don't raise the issue here. Please contact our security team so we can triage your report, making sure it's handled appropriately.

Prerequisites

  • We are ready to publicly disclose this vulnerability or exploit according to our responsible disclosure process.
  • I have raised a CVE according to our CVE process
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/security, kind/bug, tag/regression?)

Description

The HTTP to HTTPS redirection middleware will accept the given Host header to generate the redirection URL. This can be exploited to hijack requests when Octopus is behind a caching reverse-proxy.

Affected versions

Octopus Server: 2019.8.2 to Current

Links

CVE: CVE-2020-26161
Internal Issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/7351
PR: https://github.com/OctopusDeploy/OctopusDeploy/pull/7353

@johnsimons johnsimons added kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible area/security labels Oct 13, 2020
@johnsimons johnsimons added this to the 2020.3.8 milestone Oct 13, 2020
@johnsimons johnsimons self-assigned this Oct 13, 2020
@johnsimons
Copy link
Author

Release Note: Fix bug where Self-hosted Octopus susceptible to host-header injection attacks (CVE-2020-26161)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving priority (obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Projects
None yet
Development

No branches or pull requests

1 participant