{"id":"CVE-2019-15508","details":"In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 5.0.1. The fix was back-ported to 4.0.7.","modified":"2026-04-11T12:10:54.799156Z","published":"2019-08-23T06:15:10.540Z","database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:octopus:server:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"3.0.8"},{"last_affected":"2019.7.6"}],"source":"CPE_FIELD"}]},"references":[{"type":"REPORT","url":"https://github.com/OctopusDeploy/Issues/issues/5750"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/octopusdeploy/octopustentacle","events":[{"introduced":"0"},{"last_affected":"e28c9d269d10b345ac69f87b4cb9063149a4052b"}],"database_specific":{"cpe":"cpe:2.3:a:octopus:tentacle:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"3.0.8"},{"last_affected":"5.0.0"}],"source":"CPE_FIELD"}}],"versions":["3.14.0-beta.1","3.14.0-beta.2","3.14.1","3.14.15","3.14.159","3.15.0","3.15.1","3.15.2","3.15.3","3.15.4","3.15.5","3.15.6","3.15.7","3.15.8","3.16.0","3.16.1","3.16.2","3.16.3","3.16.4","3.17.0","3.18.0","3.19.0","3.19.1","3.20.0","3.20.1","3.21.0","3.22.0","3.22.1","3.22.1-deleteme","3.22.2","3.23.0","3.23.1","3.23.2","3.24.0","3.25.0","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","5.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-15508.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}