In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of O…
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
The product writes sensitive information to a log file.
https://cwe.mitre.org/data/definitions/532.html →Open in CWE collection →An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
https://capec.mitre.org/data/definitions/215.html →Open in CAPEC collection →