WebSocket polling endpoint can allow untrusted connections #6637
Labels
area/security
kind/bug
This issue represents a verified problem we are committed to solving
priority
(obsolete) This issue has been recognised as a priority and should be addressed as soon as possible
Milestone
Prerequisites
Description
If configured, the WebSocket polling endpoint can allow untrusted connections to be made under certain conditions. This endpoint is not enabled by default.
This issue does not affect Octopus Servers running on Linux, as the WebSocket polling endpoint is not available.
Affected versions
Octopus Server: 3.11.13 to 2020.4.5
Mitigation
Upgrade to the latest available supported version of Octopus Server.
Workarounds
Disable WebSocket endpoint
Use the following commands to disable the WebSocket endpoint.
Links
CVE: CVE-2020-27155
Internal Issue: https://github.com/OctopusDeploy/OctopusDeploy/issues/7424
PR: https://github.com/OctopusDeploy/OctopusDeploy/pull/7435
The text was updated successfully, but these errors were encountered: