Data Exposure Vulnerability in Octopus Deploy with Active Directory Authentication
CVE-2025-0589

6.9MEDIUM

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 11 February 2025

Summary

In specific versions of Octopus Deploy utilizing Active Directory for user authentication, an unauthenticated attacker can exploit two API endpoints. This enables the retrieval of sensitive information from user profiles, including the user's email address and display name, as well as group details like Group ID and Display Name. Importantly, this vulnerability does not compromise any data stored within the Octopus Server product itself.

Affected Version(s)

Octopus Server Windows 2020.3.3 < 2024.3.13071

Octopus Server Windows 2024.4.401 < 2024.4.7065

References

https://advisories.octopus.com/post/2025/sa2025-01/

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 20, 2025