An issue was discovered in Octopus before 3.17.7. When the special Guest user account is granted the CertificateExportPrivateKey permission, and Guest Access is enabled for the Octopus Server, an attacker can sign in as the Guest account and export Certificates managed by Octopus, including the private key.
References
Link | Resource |
---|---|
https://github.com/OctopusDeploy/Issues/issues/3869 | Issue Tracking Patch Third Party Advisory |
https://github.com/OctopusDeploy/Issues/issues/3869 | Issue Tracking Patch Third Party Advisory |
Configurations
History
21 Nov 2024, 03:14
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/OctopusDeploy/Issues/issues/3869 - Issue Tracking, Patch, Third Party Advisory |
Information
Published : 2017-10-19 08:29
Updated : 2024-11-21 03:14
NVD link : CVE-2017-15610
Mitre link : CVE-2017-15610
CVE.ORG link : CVE-2017-15610
JSON object : View
Products Affected
octopus
- octopus_deploy
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor