Octopus deploy website is having exposure to Directory Enumeration attack

without users login when we try to access the webpage with api at the end of url it’s exposing the complete details of octopus deploy version and the project directories as well. I tried multiple way’s to fix this can some suggest me how to fix this

Hi @azurework112,

Thanks for getting in touch!

The information displayed by browsing to /api/ is a list of our standard API endpoints. None of these are unique to your instance, and none of them can be used without authentication, so there isn’t any need to hide this information.

The only way I can see to restrict access to this page would be through networking security, such as placing IP restrictions on who can browse to the Octopus web portal.


This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.