CVE-2025-0589

Published Feb 11, 2025

Last updated a month ago

CVSS medium 6.9

Intruder

Overview

Description: In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.
Source: security@octopus.com
NVD status: Awaiting Analysis

Insights

Analysis from the Intruder Security Team

Published Feb 25, 2025

Intruder reported this vulnerability to Octopus Deploy on Dec 3, 2024 and it was fixed fairly quickly, with patches available from Jan 14, 2025. The exploit is simple and discoverable by attackers with basic knowledge, so active exploitation is expected if you're running a vulnerable version. Impact is limited to active directory account names, emails and local AD usernames, but this information is highly useful to attackers mounting mass password spraying or phishing campaigns, making exploitation likely in a targeted attack scenario. Please see the advisory for affected versions and a patch.

Risk scores

CVSS 4.0

Type: Secondary
Base score: 6.9
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-648

Hype score: Not currently trending

Overview

Insights

Risk scores

CVSS 4.0

Weaknesses

Social media

References