CVE-2025-0589

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-0589

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

I

n affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

References
Link Resource
https://advisories.octopus.com/post/2025/sa2025-01/ Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
OR cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

02 Jul 2025, 17:25

Type Values Removed Values Added
First Time Microsoft windows
Linux linux Kernel
Microsoft
Linux
Octopus octopus Server
Octopus
CPE cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Summary
  • (es) En las versiones afectadas de Octopus Deploy en las que los clientes utilizan Active Directory para la autenticación, era posible que un usuario no autenticado realizara una solicitud de API contra dos endpoints que recuperarían algunos datos del Active Directory asociado. Las solicitudes, cuando se elaboraban correctamente, devolverían información específica de los perfiles de usuario (dirección de correo electrónico/UPN y nombre para mostrar) de un endpoint e información de grupo (ID de grupo y nombre para mostrar) del otro. Esta vulnerabilidad no expone los datos dentro del producto Octopus Server en sí.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
References () https://advisories.octopus.com/post/2025/sa2025-01/ - () https://advisories.octopus.com/post/2025/sa2025-01/ - Vendor Advisory

11 Feb 2025, 16:15

Type Values Removed Values Added
CWE CWE-648

11 Feb 2025, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-11 09:15

Updated : 2025-07-02 17:25

NVD link : CVE-2025-0589

Mitre link : CVE-2025-0589

CVE.ORG link : CVE-2025-0589

JSON object : View

Products Affected

linux

octopus

microsoft

CWE
CWE-648

Incorrect Use of Privileged APIs