What is the severity of CVE-2020-24566?

CVE-2020-24566 has been classified as a high severity vulnerability due to the exposure of sensitive information.

How do I fix CVE-2020-24566?

To fix CVE-2020-24566, upgrade Octopus Deploy to version 2020.3.4 or later, or to version 2020.4.1 or later.

What type of vulnerability is CVE-2020-24566?

CVE-2020-24566 is an information exposure vulnerability that exposes account passwords under certain conditions.

Which versions of Octopus Deploy are affected by CVE-2020-24566?

Octopus Deploy versions 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1 are affected by CVE-2020-24566.

Vulnerability/
CVE-2020-24566

high

7.5

CWE

532

9/9/2020

4/8/2024

CVE-2020-24566

Q: What circumstances lead to the vulnerability CVE-2020-24566 being exploited?

The vulnerability is exploited when an authenticated user creates a deployment or runbook process with Azure steps set to execute on the server/worker.

First published: Wed Sep 09 2020(Updated: )

In Octopus Deploy 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1, if an authenticated user creates a deployment or runbook process using Azure steps and sets the step's execution location to run on the server/worker, then (under certain circumstances) the account password is exposed in cleartext in the verbose task logs output.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Octopus Deploy	>=2020.3<2020.3.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2020-24566?
CVE-2020-24566 has been classified as a high severity vulnerability due to the exposure of sensitive information.
How do I fix CVE-2020-24566?
To fix CVE-2020-24566, upgrade Octopus Deploy to version 2020.3.4 or later, or to version 2020.4.1 or later.
What type of vulnerability is CVE-2020-24566?
CVE-2020-24566 is an information exposure vulnerability that exposes account passwords under certain conditions.
Which versions of Octopus Deploy are affected by CVE-2020-24566?
Octopus Deploy versions 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1 are affected by CVE-2020-24566.
What circumstances lead to the vulnerability CVE-2020-24566 being exploited?
The vulnerability is exploited when an authenticated user creates a deployment or runbook process with Azure steps set to execute on the server/worker.

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/author
agent/weakness
agent/description
agent/first-publish-date
agent/event
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/octopus
canonical/octopus deploy
version/octopus deploy/2020.3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

Frequently Asked Questions

What is the severity of CVE-2020-24566?
CVE-2020-24566 has been classified as a high severity vulnerability due to the exposure of sensitive information.
How do I fix CVE-2020-24566?
To fix CVE-2020-24566, upgrade Octopus Deploy to version 2020.3.4 or later, or to version 2020.4.1 or later.
What type of vulnerability is CVE-2020-24566?
CVE-2020-24566 is an information exposure vulnerability that exposes account passwords under certain conditions.
Which versions of Octopus Deploy are affected by CVE-2020-24566?
Octopus Deploy versions 2020.3.x before 2020.3.4 and 2020.4.x before 2020.4.1 are affected by CVE-2020-24566.
What circumstances lead to the vulnerability CVE-2020-24566 being exploited?
The vulnerability is exploited when an authenticated user creates a deployment or runbook process with Azure steps set to execute on the server/worker.