Octopus Server, a widely-used automation tool for deployment and operations, has detected a severe security vulnerability known as CVE-2024-2975, enabling attackers to escalate privileges through a race condition. This critical flaw, identified on February 20, 2024, necessitated the release of patches by Octopus Deploy on March 21, 2024, to address the issue affecting both Linux and Microsoft Windows systems. Users of Octopus Server spanning several years of releases are urged to upgrade immediately to mitigate the risks posed by this vulnerability. The severity of the flaw underscores the importance of maintaining up-to-date software to protect against potential security threats.
Octopus Deploy has issued advisories detailing the high-severity nature of the vulnerability, which affects a wide range of versions including those released in 2024, urging customers to promptly upgrade to patched versions. While Octopus Deploy has not identified any known mitigations for CVE-2024-2975, the company has released patched versions such as 2023.4.8432, 2024.1.12087, and 2024.2.2075 to address the issue. Users are recommended to upgrade to the latest version, 2024.1.12087, or follow specific upgrade paths provided by Octopus Deploy to ensure protection against potential exploitation.
Despite no observed public announcements or malicious exploitation of CVE-2024-2975 by Octopus Deploy’s security team, users are strongly advised to take immediate action due to the vulnerability’s severity. Octopus Server users must review their installed versions and promptly upgrade to secure their systems against this high-severity vulnerability, underscoring the importance of maintaining up-to-date software to safeguard against potential security threats. This discovery highlights the ongoing need for vigilant software maintenance to mitigate the risks posed by vulnerabilities and to ensure robust system security.
