Code Execution Vulnerability in Octopus Deploy

Unknown what version is vulnerable, if it has been reported, or if it has been fixed.

Hi Kay

Thanks for getting in touch!

We’re definitely aware of this metasploit module - the short version is that there is nothing to worry about.

The slightly longer version is that it relies on having valid user credentials and/or a valid api key. So, effectively, the “exploit” is “given an api key, I can execute scripts”, which is kind of the point of Octopus Deploy.

The best advice that I can give is standard password security advice: ensure all credentials are kept secure, and regularly review api keys to ensure that old api keys are removed when they are no longer needed. If you are using Google Apps or Azure AD authentication, ensure that all users have Two Factor Authentication enabled.

Hope that helps. If we can assist any further, please let me know.