CVE-2019-19375
MEDIUMOctopus Deploy < 2019.10.7 and 2019.6.0-2019.6.14 - Cross-Site Request Forgery via Insecure CSRF Cookie Attribute
Title source: llmDescription
In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/OctopusDeploy/Issues/issues/5998
Scores
CVSS v3
5.3
EPSS
0.0042
EPSS Percentile
33.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-352
Status
published
Products (2)
octopus/octopus_deploy
< 2019.10.7
octopus/octopus_deploy
2019.6.0 - 2019.6.14
Published
Nov 28, 2019
Tracked Since
Feb 18, 2026