cve-2023-41047
Vulnerability from cvelistv5
Published
2023-10-09 15:18
Modified
2024-09-19 16:47
Severity ?
6.2 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
Summary
Improper Neutralization of Special Elements Used in a Template Engine in OctoPrint
References
security-advisories@github.comhttps://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17dbPatch
security-advisories@github.comhttps://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3Release Notes
security-advisories@github.comhttps://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97phVendor Advisory
Impacted products
OctoPrintOctoPrint
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:46:11.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph"
          },
          {
            "name": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db"
          },
          {
            "name": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "octoprint",
            "vendor": "octoprint",
            "versions": [
              {
                "lessThan": "1.9.3",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-41047",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T16:43:52.751548Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-19T16:47:17.108Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OctoPrint",
          "vendor": "OctoPrint",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-09T15:18:06.331Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph"
        },
        {
          "name": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db"
        },
        {
          "name": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3"
        }
      ],
      "source": {
        "advisory": "GHSA-fwfg-vprh-97ph",
        "discovery": "UNKNOWN"
      },
      "title": "Improper Neutralization of Special Elements Used in a Template Engine in OctoPrint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-41047",
    "datePublished": "2023-10-09T15:18:06.331Z",
    "dateReserved": "2023-08-22T16:57:23.933Z",
    "dateUpdated": "2024-09-19T16:47:17.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41047\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-10-09T16:15:10.480\",\"lastModified\":\"2023-10-13T18:40:38.120\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.\"},{\"lang\":\"es\",\"value\":\"OctoPrint es una interfaz web para impresoras 3D. Las versiones de OctoPrint hasta la 1.9.2 incluida contienen una vulnerabilidad que permite a administradores malintencionados configurar un script GCODE especialmente manipulado que permitir\u00e1 la ejecuci\u00f3n de c\u00f3digo durante la representaci\u00f3n de ese script. Un atacante podr\u00eda usar esto para extraer datos administrados por OctoPrint o manipular datos administrados por OctoPrint, as\u00ed como ejecutar comandos arbitrarios con los derechos del proceso OctoPrint en el sistema servidor. Se han parcheado las versiones de OctoPrint desde 1.9.3 en adelante. Se recomienda a los administradores de instancias de OctoPrint que se aseguren de que pueden confiar en todos los dem\u00e1s administradores de su instancia y que tampoco configuren ciegamente scripts GCODE arbitrarios que se encuentren en l\u00ednea o que les proporcionen terceros.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.6,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.7,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1336\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.3\",\"matchCriteriaId\":\"6DDB94E4-F56F-4C7C-A828-B76E70051E66\"}]}]}],\"references\":[{\"url\":\"https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.