CVE-2021-21270 - OpenCVE

OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Octopus	Octopusdsc

Configuration 1 [-]

cpe:2.3:a:octopus:octopusdsc:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42	Patch Third Party Advisory
https://github.com/OctopusDeploy/OctopusDSC/pull/270	Patch Third Party Advisory
https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002	Release Notes Third Party Advisory
https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-01-22T18:05:24

Updated: 2021-01-22T18:05:24

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21270

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-22T18:15:12.687

Modified: 2021-02-01T16:37:56.767

Link: CVE-2021-21270

JSON object: View

Redhat Information

No data.

CWE

CWE-319

{"containers": {"cna": {"affected": [{"product": "OctopusDSC", "vendor": "OctopusDeploy", "versions": [{"status": "affected", "version": "< 4.0.1002"}]}], "descriptions": [{"lang": "en", "value": "OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "{\"CWE-319\":\"Cleartext Transmission of Sensitive Information\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-22T18:05:24", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OctopusDeploy/OctopusDSC/pull/270"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42"}], "source": {"advisory": "GHSA-phmm-rfg9-94fm", "discovery": "UNKNOWN"}, "title": "Cleartext Storage of Sensitive Information", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21270", "STATE": "PUBLIC", "TITLE": "Cleartext Storage of Sensitive Information"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OctopusDSC", "version": {"version_data": [{"version_value": "< 4.0.1002"}]}}]}, "vendor_name": "OctopusDeploy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-319\":\"Cleartext Transmission of Sensitive Information\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm", "refsource": "CONFIRM", "url": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm"}, {"name": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002", "refsource": "MISC", "url": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002"}, {"name": "https://github.com/OctopusDeploy/OctopusDSC/pull/270", "refsource": "MISC", "url": "https://github.com/OctopusDeploy/OctopusDSC/pull/270"}, {"name": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42", "refsource": "MISC", "url": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42"}]}, "source": {"advisory": "GHSA-phmm-rfg9-94fm", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21270", "datePublished": "2021-01-22T18:05:24", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2021-01-22T18:05:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopusdsc:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C2A1440-E4C7-464D-9FB8-25DE6573A278", "versionEndExcluding": "4.0.1002", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002."}, {"lang": "es", "value": "OctopusDSC es un m\u00f3dulo de PowerShell con recursos de DSC, que se puede utilizar para instalar y configurar un agente de Octopus Deploy Server and Tentacle. En OctopusDSC versi\u00f3n 4.0.977 y anteriores, una clave de la API del cliente usada para conectarse a Octopus Server es expuesta mediante el inicio de sesi\u00f3n en texto plano. Esta vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 4.0.1002"}], "id": "CVE-2021-21270", "lastModified": "2021-02-01T16:37:56.767", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-01-22T18:15:12.687", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/pull/270"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "security-advisories@github.com", "type": "Primary"}]}