CVE-2024-2975: Octopus Deploy Patches Critical Privilege Escalation Vulnerability

Octopus Deploy, the popular deployment automation platform, has released a security advisory and subsequent patches to address a critical vulnerability (CVE-2024-2975). This flaw could allow attackers to escalate their privileges under specific configurations, potentially granting them unauthorized control over the affected systems.

CVE-2024-2975

Image: Octopus Deploy

Vulnerability Details

The vulnerability (CVSS score: 8.8) stems from a race condition within the Octopus Server. Successful exploitation could allow unprivileged users to elevate their access within the software, potentially enabling them to execute privileged actions and gain sensitive information.

Affected Versions

The vulnerability impacts a wide range of Octopus Server versions, including:

  • All versions prior to 2023.4.8432
  • All 2023.x.x versions
  • 2024.1.x versions prior to 2024.1.12087
  • 2024.2.x versions prior to 2024.2.2075

Mitigation and Recommendations

Octopus Deploy strongly urges users to upgrade to the patched versions as soon as possible:

  • Ideal Solution: Upgrade to 2024.1.12087 or later.
  • If an immediate update is impossible: Upgrade to the latest version within your existing major release series.
If you have a feature version… …then upgrade to this version
0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x 2024.1.12087 or greater
2018.x, 2019.x, 2020.x, 2021.x, 2022.x 2024.1.12087 or greater
2023.1.x, 2023.2.x, 2023.3.x 2024.1.12087 or greater
2023.4.x 2023.4.8432 or greater
2024.1.x 2024.1.12087 or greater

Octopus Deploy strongly recommends upgrading to the latest version, specifically 2024.1.12087, to safeguard against this vulnerability. Detailed guidance is provided for users across different feature versions, with a clear directive to update to a fixed version as promptly as possible. This step is crucial as there are no known mitigations for CVE-2024-2975; upgrading is the only path to securing your environment against this threat.

Proactive Discovery and Transparency

This vulnerability was found by jebi. There is no indication of active exploitation in the wild.

For more information, please refer to the original Octopus Deploy Security Advisory.