CVE-2024-6972: 
Octopus Deploy vulnerability analysis and mitigation

In affected versions of Octopus Server, a vulnerability (CVE-2024-6972) was identified where sensitive variables could be exposed in clear-text within task logs under certain circumstances. The vulnerability was discovered on May 30, 2024, and a patch was released on June 12, 2024. The affected versions include all 2024.1.x versions before 2024.1.12759 and all 2024.2.x versions before 2024.2.9193 (Octopus Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The weakness has been categorized as CWE-319 (Cleartext Transmission of Sensitive Information). The vulnerability allows sensitive variables to be printed in clear-text format in the task log, potentially exposing confidential information (NVD).

The vulnerability could lead to the exposure of sensitive information through task logs. The CVSS scoring indicates high confidentiality impact, while integrity and availability remain unaffected. This could potentially allow attackers to access sensitive configuration data or credentials if they gain access to the task logs (Octopus Advisory).

Octopus Deploy recommends upgrading to version 2024.2.9313 or later to address this vulnerability. For users unable to upgrade to the latest version, specific version upgrades are recommended: users on 2024.1.x should upgrade to 2024.1.12847 or greater, while users on 2024.2.x should upgrade to 2024.2.9206 or greater. There are no known mitigations other than upgrading to a fixed version (Octopus Advisory).