Main Vulnerability Database Vulnerabilities #VU30877

Information disclosure in Octopus Deploy - CVE-2019-14525

Published: August 5, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30877

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-14525

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Octopus Deploy

Affected software:
Octopus Deploy

Detailed vulnerability description

The vulnerability allows a remote privileged user to gain access to sensitive information.

In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.

How to mitigate CVE-2019-14525

Install update from vendor's website.

Sources

https://github.com/OctopusDeploy/Issues/issues/5753
https://github.com/OctopusDeploy/Issues/issues/5754
https://octopus.com/downloads/compare?from=2019.6.6&to=2019.7.7

Information disclosure in Octopus Deploy - CVE-2019-14525

Detailed vulnerability description

How to mitigate CVE-2019-14525

Sources

Please verify you're human