Vulnerability Details : CVE-2019-19376
In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14.)
Vulnerability category: Input validationDenial of service
Products affected by CVE-2019-19376
- cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:-:*:*:*
- Octopus » Octopus Deploy » LTS EditionVersions from including (>=) 2019.9.0 and before (<) 2019.9.8cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:lts:*:*:*
- Octopus » Octopus Deploy » LTS EditionVersions from including (>=) 2019.6.0 and before (<) 2019.6.14cpe:2.3:a:octopus:octopus_deploy:*:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19376
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19376
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2019-19376
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The product dereferences a pointer that it expects to be valid but is NULL.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19376
-
https://github.com/OctopusDeploy/Issues/issues/6005
Invalid request submitted to Team API can cause denial of service · Issue #6005 · OctopusDeploy/Issues · GitHubThird Party Advisory
Jump to