CVE-2017-15610

An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by Octopus, including the private key.
References
Link Resource
https://github.com/OctopusDeploy/Issues/issues/3869 Issue Tracking Patch Third Party Advisory
https://github.com/OctopusDeploy/Issues/issues/3869 Issue Tracking Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:14

Type Values Removed Values Added
References () https://github.com/OctopusDeploy/Issues/issues/3869 - Issue Tracking, Patch, Third Party Advisory () https://github.com/OctopusDeploy/Issues/issues/3869 - Issue Tracking, Patch, Third Party Advisory

Information

Published : 2017-10-19 08:29

Updated : 2024-11-21 03:14


NVD link : CVE-2017-15610

Mitre link : CVE-2017-15610

CVE.ORG link : CVE-2017-15610


JSON object : View

Products Affected

octopus

  • octopus_deploy
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor