CVE-2021-21270 - OpenCVE

OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Octopus	Octopusdsc

Configuration 1 [-]

cpe:2.3:a:octopus:octopusdsc:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42
https://github.com/OctopusDeploy/OctopusDSC/pull/270
https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002
https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-01-22T18:05:24

Updated: 2024-08-03T18:09:14.987Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21270

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-01-22T18:15:12.687

Modified: 2021-02-01T16:37:56.767

Link: CVE-2021-21270

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "OctopusDSC", "vendor": "OctopusDeploy", "versions": [{"status": "affected", "version": "< 4.0.1002"}]}], "descriptions": [{"lang": "en", "value": "OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "{\"CWE-319\":\"Cleartext Transmission of Sensitive Information\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-22T18:05:24", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OctopusDeploy/OctopusDSC/pull/270"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42"}], "source": {"advisory": "GHSA-phmm-rfg9-94fm", "discovery": "UNKNOWN"}, "title": "Cleartext Storage of Sensitive Information", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21270", "STATE": "PUBLIC", "TITLE": "Cleartext Storage of Sensitive Information"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OctopusDSC", "version": {"version_data": [{"version_value": "< 4.0.1002"}]}}]}, "vendor_name": "OctopusDeploy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-319\":\"Cleartext Transmission of Sensitive Information\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm", "refsource": "CONFIRM", "url": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm"}, {"name": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002", "refsource": "MISC", "url": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002"}, {"name": "https://github.com/OctopusDeploy/OctopusDSC/pull/270", "refsource": "MISC", "url": "https://github.com/OctopusDeploy/OctopusDSC/pull/270"}, {"name": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42", "refsource": "MISC", "url": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42"}]}, "source": {"advisory": "GHSA-phmm-rfg9-94fm", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:14.987Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OctopusDeploy/OctopusDSC/pull/270"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21270", "datePublished": "2021-01-22T18:05:24", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:14.987Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopusdsc:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C2A1440-E4C7-464D-9FB8-25DE6573A278", "versionEndExcluding": "4.0.1002", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OctopusDSC is a PowerShell module with DSC resources that can be used to install and configure an Octopus Deploy Server and Tentacle agent. In OctopusDSC version 4.0.977 and earlier a customer API key used to connect to Octopus Server is exposed via logging in plaintext. This vulnerability is patched in version 4.0.1002."}, {"lang": "es", "value": "OctopusDSC es un m\u00f3dulo de PowerShell con recursos de DSC, que se puede utilizar para instalar y configurar un agente de Octopus Deploy Server and Tentacle. En OctopusDSC versi\u00f3n 4.0.977 y anteriores, una clave de la API del cliente usada para conectarse a Octopus Server es expuesta mediante el inicio de sesi\u00f3n en texto plano. Esta vulnerabilidad est\u00e1 parcheada en la versi\u00f3n 4.0.1002"}], "id": "CVE-2021-21270", "lastModified": "2021-02-01T16:37:56.767", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-01-22T18:15:12.687", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/commit/24b448e6ac964ed938475add494a145c0473ac42"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/pull/270"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/releases/tag/v4.0.1002"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/OctopusDeploy/OctopusDSC/security/advisories/GHSA-phmm-rfg9-94fm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "security-advisories@github.com", "type": "Primary"}]}