CVE-2021-30183

Vulnerability

Octopus Server versions prior to the fix contain a cleartext storage vulnerability where the password used to encrypt and decrypt sensitive values during import/export processes is written to logs in plaintext [1]. The affected component is the server's logging mechanism during data transfer operations, requiring no special configuration beyond initiating an import or export task.

Exploitation

An attacker with local access to the system or the ability to read log files (e.g., through a separate vulnerability, shared hosting, or compromised credentials) can obtain the plaintext password by examining the logs generated during an import or export operation [1]. No authentication to the Octopus Server database is required beyond log file access.

Impact

Successful exploitation reveals the encryption password, which could be used to decrypt sensitive data stored or transferred by Octopus Server, leading to information disclosure of potentially critical secrets [1]. The scope is limited to data protected by this specific password.

Mitigation

Octopus Deploy has released security updates for affected versions; users should upgrade to the latest patched version as indicated in the official advisory [1]. As a workaround, audit log retention policies and restrict log file access to trusted administrators only. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.