CVE-2023-1904: 
Octopus Deploy vulnerability analysis and mitigation

CVE-2023-1904 is a vulnerability discovered in Octopus Server that allows exposure of sensitive information through logging. The vulnerability was discovered on April 6, 2023, and affects multiple versions of Octopus Server including all 2022.2.x, 2022.3.x, 2022.4.x versions, and specific versions of 2023.1.x, 2023.2.x, and 2023.3.x before their respective patches (Octopus Advisory).

The vulnerability allows the OpenID client secret to be logged in plain text during the configuration of Octopus Server. This security issue has been assigned a CVSS score of 4.2, indicating medium severity. The vulnerability was discovered during internal testing by Yun Huang Yong at Octopus Deploy (Octopus Advisory).

The vulnerability could lead to exposure of sensitive authentication credentials if exploited, as it logs OpenID client secrets in clear text. This could potentially allow unauthorized access to systems if the logs are compromised (Octopus Advisory).

The vulnerability has been patched in Octopus Server versions 2023.1.11942, 2023.2.13151, and 2023.3.5049. Octopus Deploy recommends upgrading to the latest version (2023.4.8116 at the time of advisory publication) and rotating the Octopus Server's OpenID client secret, especially if it appears in logs. There are no known mitigations other than upgrading to a fixed version (Octopus Advisory).