CVE-2025-0589

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://advisories.octopus.com/post/2025/sa2025-01/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:octopus:octopus_server::::::::
	cpe:2.3:a:octopus:octopus_server::::::::

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

02 Jul 2025, 17:25

Type	Values Removed	Values Added
First Time		Octopus octopus Server Linux linux Kernel Linux Microsoft windows Octopus Microsoft
Summary		(es) En las versiones afectadas de Octopus Deploy en las que los clientes utilizan Active Directory para la autenticación, era posible que un usuario no autenticado realizara una solicitud de API contra dos endpoints que recuperarían algunos datos del Active Directory asociado. Las solicitudes, cuando se elaboraban correctamente, devolverían información específica de los perfiles de usuario (dirección de correo electrónico/UPN y nombre para mostrar) de un endpoint e información de grupo (ID de grupo y nombre para mostrar) del otro. Esta vulnerabilidad no expone los datos dentro del producto Octopus Server en sí.
References	~~() https://advisories.octopus.com/post/2025/sa2025-01/ -~~	() https://advisories.octopus.com/post/2025/sa2025-01/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:octopus:octopus_server:::::::: cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::*

11 Feb 2025, 16:15

Type	Values Removed	Values Added
CWE		CWE-648

11 Feb 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-11 09:15

Updated : 2025-07-02 17:25

NVD link : CVE-2025-0589

Mitre link : CVE-2025-0589

CVE.ORG link : CVE-2025-0589

JSON object : View

Products Affected

microsoft

windows

octopus

octopus_server

linux

linux_kernel

CWE

CWE-648

Incorrect Use of Privileged APIs

5.3 /10