CVE-2019-15507
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8.
En las versiones 2018.8.4 a 2019.7.6 de Octopus Deploy, cuando se configura un proxy de solicitud web, un usuario autenticado (en determinadas circunstancias limitadas de caracteres especiales) podría desencadenar una implementación que escriba la contraseña de proxy de solicitud web en el inicio de sesión de implementación texto claro. Esto se fijó en 2019.7.7. La corrección fue re-portado a LTS 2019.6.7 así como LTS 2019.3.8.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-23 CVE Reserved
- 2019-08-23 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/OctopusDeploy/Issues/issues/5761 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Octopus Search vendor "Octopus" | Server Search vendor "Octopus" for product "Server" | >= 2018.8.4 <= 2019.7.6 Search vendor "Octopus" for product "Server" and version " >= 2018.8.4 <= 2019.7.6" | - |
Affected
| ||||||