CVE-2019-15507

{"id": "CVE-2019-15507", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-08-23T06:15:10.443", "references": [{"url": "https://github.com/OctopusDeploy/Issues/issues/5761", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.7. The fix was back-ported to LTS 2019.6.7 as well as LTS 2019.3.8."}, {"lang": "es", "value": "En las versiones 2018.8.4 a 2019.7.6 de Octopus Deploy, cuando se configura un proxy de solicitud web, un usuario autenticado (en determinadas circunstancias limitadas de caracteres especiales) podr\u00eda desencadenar una implementaci\u00f3n que escriba la contrase\u00f1a de proxy de solicitud web en el inicio de sesi\u00f3n de implementaci\u00f3n texto claro. Esto se fij\u00f3 en 2019.7.7. La correcci\u00f3n fue re-portado a LTS 2019.6.7 as\u00ed como LTS 2019.3.8."}], "lastModified": "2022-07-27T17:20:11.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDFC4407-48AB-48BB-A88B-B33E82D6A47C", "versionEndIncluding": "2019.7.6", "versionStartIncluding": "2018.8.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}