CVE-2019-8944

An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/OctopusDeploy/Issues/issues/5314	Third Party Advisory
https://github.com/OctopusDeploy/Issues/issues/5315	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:octopus:octopus_deploy::::::::
	cpe:2.3:a:octopus:octopus_deploy:2018.10.0::::lts:::
	cpe:2.3:a:octopus:octopus_deploy:2018.10.1::::lts:::
	cpe:2.3:a:octopus:octopus_deploy:2018.10.2::::lts:::
	cpe:2.3:a:octopus:octopus_deploy:2018.10.3::::lts:::
	cpe:2.3:a:octopus:octopus_server::::::::

History

27 Jul 2022, 16:42

Type	Values Removed	Values Added
First Time		Octopus octopus Server
CPE		cpe:2.3:a:octopus:octopus_server::::::::
CWE	~~CWE-200~~	CWE-532

Information

Published : 2019-02-20 03:29

Updated : 2023-12-10 12:44

NVD link : CVE-2019-8944

Mitre link : CVE-2019-8944

CVE.ORG link : CVE-2019-8944

JSON object : View

Products Affected

octopus

octopus_deploy
octopus_server

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2019-8944", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-02-20T03:29:00.343", "references": [{"url": "https://github.com/OctopusDeploy/Issues/issues/5314", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/OctopusDeploy/Issues/issues/5315", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files."}, {"lang": "es", "value": "Un fallo de exposici\u00f3n de informaci\u00f3n en el paso de despliegue de Terraform en Octopus Deploy, en versiones anteriores a la 2019.1.8 (anteriores a la 2018.10.4 LTS) permite a los usuarios autenticados remotos visualizar variables de salida sensibles de Terraform mediante archivos de log."}], "lastModified": "2022-07-27T16:42:01.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2C59C11-94C3-48C8-814F-E5BC1788EBC9", "versionEndIncluding": "2018.9.17"}, {"criteria": "cpe:2.3:a:octopus:octopus_deploy:2018.10.0:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "2D2D29C2-EE69-48F5-994C-D7C386882228"}, {"criteria": "cpe:2.3:a:octopus:octopus_deploy:2018.10.1:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "37A900A5-7E91-47B5-8479-1CB5DFCAC3A6"}, {"criteria": "cpe:2.3:a:octopus:octopus_deploy:2018.10.2:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "23D3AE78-7B30-4E00-99CA-3198B569ADB9"}, {"criteria": "cpe:2.3:a:octopus:octopus_deploy:2018.10.3:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "70B8C720-7B2A-429A-B431-6FEB09708095"}, {"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B54792A-9E45-4798-875E-7EE1AFA9A4AD", "versionEndExcluding": "2019.1.8", "versionStartIncluding": "2018.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}