CVE-2024-9194: SQLi Flaw Discovered in Octopus Server, Urgent Patch Recommended
Octopus Deploy, a leading continuous delivery platform used by thousands of software teams worldwide, has released a critical security update to address a severe vulnerability (CVE-2024-9194) in its Octopus Server product. The vulnerability, rated 8.7 on the CVSS scale, could allow unauthorized access to sensitive database tables, potentially exposing confidential project data and deployment configurations.
The vulnerability stems from improper parameterization of data in the REST API, leaving it susceptible to SQL injection attacks. An attacker could exploit this flaw to execute malicious SQL queries, gaining unauthorized access to the underlying database.
Affected Versions and Remediation
All versions of Octopus Server within the 2024.1.x, 2024.2.x, and 2024.3.x branches prior to the following specific releases are impacted:
- 2024.1.13038
- 2024.2.9482
- 2024.3.12766
Octopus Deploy strongly recommends that all users upgrade to the latest patched versions immediately. The company has made the latest versions available for download on its website. Octopus Cloud users have already been automatically upgraded and are not affected.
No Known Exploits, But Urgency is Key
Fortunately, Octopus Deploy’s security team has confirmed that, as of now, there have been no public exploits or malicious use of CVE-2024-9194. The vulnerability was responsibly disclosed by a researcher from Bugcrowd, and no known attacks have surfaced. Nevertheless, given the severity of SQL injection vulnerabilities, organizations using affected versions of Octopus Server should not delay in applying the patch.
No Mitigation Available – Upgrade is Critical
At present, there are no known mitigations for this vulnerability, making the upgrade process essential to maintaining the security of Octopus Deploy environments. For those unable to immediately upgrade, it is recommended to disable the “Guest” feature in Octopus Server until the update can be completed, although this is a temporary measure and does not fully protect against potential exploitation.
