CVE-2019-14525

low-risk

Published 2019-08-05

In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call.

Do I need to act?

0.44% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.9/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Octopus Deploy

Octopus Server

Affected Vendors

Octopus

References (6)

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/5753

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/5754

Vendor Advisory https://octopus.com/downloads/compare?from=2019.6.6&to=2019.7.7

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/5753

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/5754

Vendor Advisory https://octopus.com/downloads/compare?from=2019.6.6&to=2019.7.7

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 7/34 · Low