Description

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

INFO

Published Date :

2025-02-11T08:59:51.030Z

Last Modified :

2025-02-11T15:20:52.205Z

Source :

Octopus
AFFECTED PRODUCTS

The following products are affected by CVE-2025-0589 vulnerability.

Vendors Products
Linux
  • Linux Kernel
Microsoft
  • Windows
Octopus
  • Octopus Server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-0589.

URL Resource
https://advisories.octopus.com/post/2025/sa2025-01/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact