A vulnerability exists in Octopus Deploy versions 2020.3.x (after 2020.3.3), 2020.4.x, 2020.5.x, 2020.6.x, 2021.x, 2022.x, 2023.x, 2024.1.x, 2024.2.x, 2024.3.x (before 2024.3.13071), and 2024.4.x (before 2024.4.7065) when Active Directory is used for authentication. This vulnerability allows an unauthenticated user to make API requests to two endpoints that retrieve data from Active Directory. Depending on how the requests are crafted, this could include specific user profile information such as email addresses, UPNs, display names, or group details like group IDs and display names. Notably, this vulnerability does not expose any data within the Octopus Server product itself.
Exploitation of this vulnerability could lead to unauthorized access to sensitive Active Directory information, including user profiles and group details, without authentication.
Users are advised to upgrade to Octopus Server version 2024.4.7065 or 2024.3.13071. The latest versions can be downloaded from the Octopus Deploy website, while previous versions are available from the Octopus Deploy previous versions page.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
