CVE-2019-19375

MEDIUM

Octopus Deploy < 2019.10.7 and 2019.6.0-2019.6.14 - Cross-Site Request Forgery via Insecure CSRF Cookie Attribute

Title source: llm
STIX 2.1

Description

In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/OctopusDeploy/Issues/issues/5998

Scores

CVSS v3 5.3
EPSS 0.0042
EPSS Percentile 33.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-352
Status published
Products (2)
octopus/octopus_deploy < 2019.10.7
octopus/octopus_deploy 2019.6.0 - 2019.6.14
Published Nov 28, 2019
Tracked Since Feb 18, 2026