CyberSec.Space Logo
返回 CVE 浏览器

CVE-2020-24566

HIGH
7.5
CVSS Severity Score
EPSS Score0.1230%
EPSS Percentile24.89th
Published2020年9月9日
Last Modified2024年11月21日

Vulnerability Description

In Octopus Deploy 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1, if an authenticated user creates a deployment or runbook process using Azure steps and sets the step's execution location to run on the server/worker, then (under certain circumstances) the account password is exposed in cleartext in the verbose task logs output.

Affected Platforms (CPE)

📦
Octopus

Octopus Deploy

>= 2020.3 and < 2020.3.4

References & Advisories

🔗 https://github.com/OctopusDeploy/Issues/issues/6563
🔗 https://github.com/OctopusDeploy/Issues/issues/6564
🔗 https://github.com/OctopusDeploy/Issues/issues/6563
🔗 https://github.com/OctopusDeploy/Issues/issues/6564

相关漏洞威胁

CVE-2018-113209.8

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfus...

CVE-2018-48628.8

In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an A...

CVE-2017-176658.8

In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows...

CVE-2018-57068.8

An issue was discovered in Octopus Deploy before 4.1.9. Any user with user editing permissions can modify teams to give themselves...