PT-2020-15740 · Octopus · Octopus Deploy

Flin-8

Published

2020-09-09

Updated

2020-09-10

CVE-2020-24566

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Octopus Deploy versions 2020.3.x through 2020.3.3 Octopus Deploy versions 2020.4.x through 2020.4.0

Description The issue exposes an account password in cleartext in the verbose task logs output under certain circumstances. This occurs when an authenticated user creates a deployment or runbook process using Azure steps and sets the step's execution location to run on the server/worker.

Recommendations For Octopus Deploy versions 2020.3.x through 2020.3.3, update to version 2020.3.4 or later. For Octopus Deploy versions 2020.4.x through 2020.4.0, update to version 2020.4.1 or later.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2020-24566

Affected Products

Octopus Deploy

PT-2020-15740 · Octopus · Octopus Deploy

CVE-2020-24566

Weakness Enumeration

Related Identifiers

Affected Products

References · 4