SB2020082536 - Improper certificate validation in Octopus Deploy
Published: August 25, 2020 Updated: December 31, 2025
Security Bulletin ID
SB2020082536
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Certificate Validation (CVE-ID: CVE-2020-16197)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation.
Remediation
Install update from vendor's website.