CVE-2021-31820: 
Octopus Deploy vulnerability analysis and mitigation

In Octopus Server versions after 2018.8.2, a security vulnerability was identified where if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI (NVD).

The vulnerability is tracked as CVE-2021-31820 and has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue is classified under CWE-312 (Cleartext Storage of Sensitive Information) and affects Octopus Server versions from 2018.8.2 up to but not including 2020.6.5310, and versions from 2021.1.0 up to but not including 2021.1.7622 (NVD).

The vulnerability exposes proxy authentication passwords in plaintext through the user interface, potentially allowing unauthorized users to view sensitive credentials. This could lead to unauthorized access to proxy-protected resources and compromise of proxy authentication mechanisms (NVD).

The issue has been addressed in subsequent versions of Octopus Server. Users should upgrade to version 2020.6.5310 or later if running in the 2020.6.x series, or to version 2021.1.7622 or later if running in the 2021.1.x series (NVD, Octopus Advisory).