CVE-2020-24566

moderate-risk

Published 2020-09-09

In Octopus Deploy 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1, if an authenticated user creates a deployment or runbook process using Azure steps and sets the step's execution location to run on the server/worker, then (under certain circumstances) the account password is exposed in cleartext in the verbose task logs output.

Do I need to act?

1.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Octopus Deploy

Affected Vendors

Octopus

References (4)

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/6563

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/6564

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/6563

Third Party Advisory https://github.com/OctopusDeploy/Issues/issues/6564

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 5/34 · Minimal