CVE-2025-0589: 
Octopus Deploy vulnerability analysis and mitigation

In affected versions of Octopus Deploy where customers are using Active Directory for authentication, a vulnerability was discovered that allowed unauthenticated users to access Active Directory data through API endpoints. The vulnerability, identified as CVE-2025-0589, was discovered on December 09, 2024, and patched on January 14, 2025. The issue affects Octopus Server versions from 2020.3.x through 2024.4.x (before 2024.4.7065) (Octopus Advisory).

The vulnerability allows an unauthenticated user to make API requests against two specific endpoints that retrieve data from the associated Active Directory. When properly crafted, these requests could return user profile information (Email address/UPN and Display name) from one endpoint and group information (Group ID and Display name) from the other. The vulnerability has been assigned a CVSS score of 6.9, categorized as Medium severity (Octopus Advisory).

The vulnerability exposes sensitive Active Directory information, including user email addresses, display names, and group information to unauthenticated users. However, it's important to note that this vulnerability does not expose data within the Octopus Server product itself and does not impact customers using Octopus Cloud (Octopus Advisory).

Octopus Deploy has released patches in versions 2024.4.7065 and 2024.3.13071 to address this vulnerability. Users are strongly recommended to upgrade to the latest version (2024.4.7076) or at minimum to one of the patched versions. There are no known mitigations for this vulnerability other than upgrading to a fixed version (Octopus Advisory).