github - ghsa-2986-5hcf-cm8g

GHSA-2986-5HCF-CM8G

Vulnerability from github – Published: 2022-01-20 00:01 – Updated: 2022-01-27 00:03

Details

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-31821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image",
  "id": "GHSA-2986-5hcf-cm8g",
  "modified": "2022-01-27T00:03:36Z",
  "published": "2022-01-20T00:01:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31821"
    },
    {
      "type": "WEB",
      "url": "https://advisories.octopus.com/post/2022/sa2022-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2021-31821 (GCVE-0-2021-31821)

Vulnerability from cvelistv5 – Published: 2022-01-19 05:25 – Updated: 2024-08-03 23:10

Summary

Severity ?

No CVSS data available.

CWE

Cleartext Storage of Sensitive Information in Octopus Tentacle Windows Docker image

Assigner

Octopus

References

URL

Tags

https://advisories.octopus.com/post/2022/sa2022-01/

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Octopus Deploy	Octopus Tentacle	Affected: unspecified , < 6.1.1266 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:10:30.124Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://advisories.octopus.com/post/2022/sa2022-01/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Octopus Tentacle",
          "vendor": "Octopus Deploy",
          "versions": [
            {
              "lessThan": "6.1.1266",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cleartext Storage of Sensitive Information in Octopus Tentacle Windows Docker image",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-19T05:25:10",
        "orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
        "shortName": "Octopus"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://advisories.octopus.com/post/2022/sa2022-01/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@octopus.com",
          "ID": "CVE-2021-31821",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Octopus Tentacle",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "6.1.1266"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Octopus Deploy"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cleartext Storage of Sensitive Information in Octopus Tentacle Windows Docker image"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://advisories.octopus.com/post/2022/sa2022-01/",
              "refsource": "MISC",
              "url": "https://advisories.octopus.com/post/2022/sa2022-01/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272",
    "assignerShortName": "Octopus",
    "cveId": "CVE-2021-31821",
    "datePublished": "2022-01-19T05:25:10",
    "dateReserved": "2021-04-26T00:00:00",
    "dateUpdated": "2024-08-03T23:10:30.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-2986-5HCF-CM8G

CVE-2021-31821 (GCVE-0-2021-31821)

Tags

Sightings

Nomenclature