CVE-2020-16197

An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the scope of the deployment target. An authorised user can potentially use a certificate that they are not in scope to use. An authorised user is also able to obtain certificate metadata by associating a certificate with certain resources that should fail scope validation.

Published: Aug 25, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-16197
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
octopus / server	3.4.0	3.4.0.x
octopus / octopus_server	3.4.0	3.4.0.x

https://github.com/OctopusDeploy/Issues/issues/6529
https://github.com/OctopusDeploy/Issues/issues/6530
https://github.com/OctopusDeploy/Issues/issues/6531

Vulnerability Database

CVE-2020-16197

Deep Security Visibility Without the Complexity