CVE-2025-0589

Feb. 11, 2025, 4:15 p.m.

None
No Score

Description

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

Product(s) Impacted

Product Versions
Octopus Deploy

Weaknesses

CWE-648
Incorrect Use of Privileged APIs
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References

https://advisories.octopus.com/post/2025/sa2025-01/

Tags

security@octopus.com
CWE-648
2025-02-11
CVE-2025-0589

Date

  • Published: Feb. 11, 2025, 9:15 a.m.
  • Last Modified: Feb. 11, 2025, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@octopus.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.