cvelistv5 - cve-2024-23637

Source	URL	Tags
security-advisories@github.com	https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125	Patch
security-advisories@github.com	https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1	Release Notes
security-advisories@github.com	https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr	Third Party Advisory

Vendor	Product
OctoPrint	OctoPrint

ghsa-5626-pw9c-hmjr

Vulnerability from github

Published

2024-01-31 18:04

Modified

2024-02-08 16:30

Severity

4.2 (Medium) - CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Summary

OctoPrint Unverified Password Change via Access Control Settings

Details

Impact

OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.

An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance.

Patches

The vulnerability will be patched in version 1.10.0.

Workarounds

OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by Timothy "TK" Ruppert.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "OctoPrint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T18:04:48Z",
    "nvd_published_at": "2024-01-31T18:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.\n\nAn attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance.\n\n### Patches\n\nThe vulnerability will be patched in version 1.10.0.\n\n### Workarounds\n\nOctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Timothy \"TK\" Ruppert.\n",
  "id": "GHSA-5626-pw9c-hmjr",
  "modified": "2024-02-08T16:30:05Z",
  "published": "2024-01-31T18:04:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23637"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OctoPrint/OctoPrint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-29.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OctoPrint Unverified Password Change via Access Control Settings"
}

gsd-2024-23637

Vulnerability from gsd

Modified

2024-01-19 06:02

Details

OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.

Aliases

CVE-2024-23637

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-23637"
      ],
      "details": "OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.",
      "id": "GSD-2024-23637",
      "modified": "2024-01-19T06:02:13.268552Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-23637",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "OctoPrint",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.10.0rc1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "OctoPrint"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-287",
                "lang": "eng",
                "value": "CWE-287: Improper Authentication"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-620",
                "lang": "eng",
                "value": "CWE-620: Unverified Password Change"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr",
            "refsource": "MISC",
            "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr"
          },
          {
            "name": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125",
            "refsource": "MISC",
            "url": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125"
          },
          {
            "name": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1",
            "refsource": "MISC",
            "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-5626-pw9c-hmjr",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "216857C0-BBE7-49CA-890B-A3A277108CF6",
                    "versionEndIncluding": "1.9.3",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0."
          },
          {
            "lang": "es",
            "value": "OctoPrint es una interfaz web para impresoras 3D. Las versiones de OctoPrint hasta la 1.9.3 incluida contienen una vulnerabilidad que permite a administradores malintencionados cambiar la contrase\u00f1a de otras cuentas de administrador, incluida la suya propia, sin tener que repetir su contrase\u00f1a. Un atacante que lograra secuestrar una cuenta de administrador podr\u00eda usar esto para bloquear a los administradores reales de su instancia de OctoPrint. La vulnerabilidad se parchear\u00e1 en la versi\u00f3n 1.10.0."
          }
        ],
        "id": "CVE-2024-23637",
        "lastModified": "2024-02-08T01:38:50.143",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 0.8,
              "impactScore": 3.4,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-01-31T18:15:49.810",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Release Notes"
            ],
            "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-287"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-287"
              },
              {
                "lang": "en",
                "value": "CWE-620"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

pysec-2024-29

Vulnerability from pysec

Published

2024-01-31 18:15

Modified

2024-02-08 07:19

Severity

4.9 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Details

OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "octoprint",
        "purl": "pkg:pypi/octoprint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1729d167b4ae4a5835bbc7211b92c6828b1c4125"
            }
          ],
          "repo": "https://github.com/OctoPrint/OctoPrint",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.3.11",
        "1.3.12",
        "1.3.12rc1",
        "1.3.12rc3",
        "1.4.0",
        "1.4.0rc1",
        "1.4.0rc2",
        "1.4.0rc3",
        "1.4.0rc4",
        "1.4.0rc5",
        "1.4.0rc6",
        "1.4.1",
        "1.4.1rc1",
        "1.4.1rc2",
        "1.4.1rc3",
        "1.4.1rc4",
        "1.4.2",
        "1.5.0",
        "1.5.0rc1",
        "1.5.0rc2",
        "1.5.0rc3",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.6.0",
        "1.6.0rc1",
        "1.6.0rc2",
        "1.6.0rc3",
        "1.6.1",
        "1.7.0",
        "1.7.0rc1",
        "1.7.0rc2",
        "1.7.0rc3",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.8.0",
        "1.8.0rc1",
        "1.8.0rc2",
        "1.8.0rc3",
        "1.8.0rc4",
        "1.8.0rc5",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.8.4",
        "1.8.5",
        "1.8.6",
        "1.8.7",
        "1.9.0",
        "1.9.0rc1",
        "1.9.0rc2",
        "1.9.0rc3",
        "1.9.0rc4",
        "1.9.0rc5",
        "1.9.0rc6",
        "1.9.1",
        "1.9.2",
        "1.9.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23637",
    "GHSA-5626-pw9c-hmjr"
  ],
  "details": "OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.",
  "id": "PYSEC-2024-29",
  "modified": "2024-02-08T07:19:40.535297+00:00",
  "published": "2024-01-31T18:15:00+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr"
    },
    {
      "type": "FIX",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Action not permitted

cve-2024-23637

Vulnerability from cvelistv5

ghsa-5626-pw9c-hmjr

Vulnerability from github

Impact

Patches

Workarounds

Credits

gsd-2024-23637

Vulnerability from gsd

pysec-2024-29

Vulnerability from pysec

Tags