Octopus Deploy Path Traversal Vulnerability Allowing Unrestricted File Upload

A path traversal vulnerability has been identified in Octopus Deploy's API, allowing users to upload files to unintended locations on the host. This issue arises from a lack of proper validation in the API endpoint, which could be exploited to bypass expected workflows. The vulnerability affects Octopus Server versions 2022.4.x, 2023.x, 2024.1.x, 2024.2.x, and 2024.3.x prior to 2024.3.13097, as well as all 2024.4.x versions prior to 2024.4.7091.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, potentially allowing for further attacks such as remote code execution, according to the Octopus Deploy security team.

Remediation

Users are advised to upgrade to Octopus Server version 2024.4.7091 or 2024.3.13097. The latest versions can be downloaded from the Octopus Deploy website, while previous versions are available from the Octopus Deploy previous versions page.