CVE-2019-19375

In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
octopusoctopus_deploy
𝑥
< 2019.10.7
octopusoctopus_deploy
2019.6.0 ≤
𝑥
< 2019.6.14
octopusoctopus_deploy
2019.9.0 ≤
𝑥
< 2019.9.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/OctopusDeploy/Issues/issues/5998
https://github.com/OctopusDeploy/Issues/issues/5998