CVE-2019-19375

EUVD-2019-8996
In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
Affected Products (NVD)
VendorProductVersion
octopusoctopus_deploy
𝑥
< 2019.10.7
octopusoctopus_deploy
2019.6.0 ≤
𝑥
< 2019.6.14
octopusoctopus_deploy
2019.9.0 ≤
𝑥
< 2019.9.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/OctopusDeploy/Issues/issues/5998
https://github.com/OctopusDeploy/Issues/issues/5998