CVE-2025-0589

Medium CVSS: 6.9

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

Vendor

Octopus

Product

Octopus Server

CWE

CWE-648

Yayın Tarihi

2025-02-11 09:15:09

Güncelleme

2025-07-02 17:25:02

Source Identifier

security@octopus.com

KEV Date Added

Kategoriler

CWE-648 Octopus Server MEDIUM Octopus 2025

Referanslar

https://advisories.octopus.com/post/2025/sa2025-01/

Benzer Kayıtlar

Low

CVE-2026-3237

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change…

Low

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting i…

Medium

CVE-2026-0704

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API…

Medium

CVE-2025-0539

In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests th…

Medium

CVE-2025-0588

In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all se…

Low

CVE-2025-0513

In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could con…