CVE-2019-15508

In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7.

CVSS v3 6.5 MEDIUM
CVSS v2.0 3.5 LOW

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/OctopusDeploy/Issues/issues/5750	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:octopus:server::::::::
	cpe:2.3:a:octopus:tentacle::::::::

History

27 Jul 2022, 17:20

Type	Values Removed	Values Added
CWE		CWE-312

Information

Published : 2019-08-23 06:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-15508

Mitre link : CVE-2019-15508

CVE.ORG link : CVE-2019-15508

JSON object : View

Products Affected

octopus

tentacle
server

CWE

CWE-312

Cleartext Storage of Sensitive Information

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2019-15508", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-08-23T06:15:10.540", "references": [{"url": "https://github.com/OctopusDeploy/Issues/issues/5750", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7."}, {"lang": "es", "value": "En las versiones 3.0.8 a 5.0.0 de Octopus Tentacle, cuando se configura un proxy de solicitud web, un usuario autenticado (en determinadas circunstancias limitadas de OctopusPrintVariables) podr\u00eda desencadenar una implementaci\u00f3n que escriba la contrase\u00f1a de proxy de solicitud web en el inicio de sesi\u00f3n de implementaci\u00f3n texto claro. Esto se corrige en 5.0.1. La correcci\u00f3n fue back-ported a 4.0.7."}], "lastModified": "2022-07-27T17:20:11.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A4E0CD9-F285-47B0-9CAF-426FAE6570CF", "versionEndIncluding": "2019.7.6", "versionStartIncluding": "3.0.8"}, {"criteria": "cpe:2.3:a:octopus:tentacle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76D1B1C1-817F-4F76-9848-0DA549D1AA37", "versionEndIncluding": "5.0.0", "versionStartIncluding": "3.0.8"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}