#VU30573 Input validation error in Octopus Deploy - CVE-2019-19376
Published: November 28, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30573
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-19376
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Octopus Deploy
Octopus Deploy
Software vendor:
Octopus Deploy
Octopus Deploy
Description
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14.)
Remediation
Install update from vendor's website.