CVE-2017-15610

Name of the Vulnerable Software and Affected Versions Octopus versions prior to 3.17.7

Description An issue was discovered where an attacker can sign in as the Guest account and export Certificates managed by Octopus, including the private key, when the special Guest user account is granted the CertificateExportPrivateKey permission and Guest Access is enabled for the Octopus Server.

Recommendations For versions prior to 3.17.7, update to version 3.17.7 or later to resolve the issue. As a temporary workaround, consider disabling Guest Access or revoking the CertificateExportPrivateKey permission from the Guest user account until a patch is available.