Octopus Server Denial-of-Service Vulnerability via Custom Referrer Headers

A denial-of-service vulnerability has been identified in Octopus Server. A user with sufficient access could manipulate server responses by setting custom headers, particularly the referrer header. This manipulation would cause subsequent server responses to return 500 errors, disrupting the site's functionality. The user could control this denial-of-service state by toggling the referrer header, using a valid CSRF token, while unable to generate new CSRF tokens. This issue affects all 2020.x, 2021.x, 2022.x, and 2023.x versions of Octopus Server, as well as all 2024.1.x, 2024.2.x, and 2024.3.x versions prior to 2023.3.13097. Users who have upgraded to Octopus Server version 2024.4.7132 or higher are not affected.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the server to respond with 500 errors and rendering the site mostly unusable.

Remediation

Users are advised to upgrade to Octopus Server version 2024.4.7091 or 2024.3.13097. The latest version can be downloaded from the Octopus Deploy website.