PYSEC-2024-237

Vulnerability from pysec - Published: 2024-05-14 16:17 - Updated: 2025-03-05 17:22
VLAI?
Details

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, spoofing their IP via the X-Forwarded-For header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

Severity ?
9.4 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Impacted products
Name purl
octoprint pkg:pypi/octoprint
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "octoprint",
        "purl": "pkg:pypi/octoprint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5afbec8d23508edc25b0f1bdef1620580136add4"
            },
            {
              "fixed": "5afbec8d23508edc25b0f1bdef1620580136add4"
            }
          ],
          "repo": "https://github.com/octoprint/octoprint",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.10.0",
        "1.10.0rc1",
        "1.10.0rc2",
        "1.10.0rc3",
        "1.10.0rc4",
        "1.3.11",
        "1.3.12",
        "1.3.12rc1",
        "1.3.12rc3",
        "1.4.0",
        "1.4.0rc1",
        "1.4.0rc2",
        "1.4.0rc3",
        "1.4.0rc4",
        "1.4.0rc5",
        "1.4.0rc6",
        "1.4.1",
        "1.4.1rc1",
        "1.4.1rc2",
        "1.4.1rc3",
        "1.4.1rc4",
        "1.4.2",
        "1.5.0",
        "1.5.0rc1",
        "1.5.0rc2",
        "1.5.0rc3",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.6.0",
        "1.6.0rc1",
        "1.6.0rc2",
        "1.6.0rc3",
        "1.6.1",
        "1.7.0",
        "1.7.0rc1",
        "1.7.0rc2",
        "1.7.0rc3",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.8.0",
        "1.8.0rc1",
        "1.8.0rc2",
        "1.8.0rc3",
        "1.8.0rc4",
        "1.8.0rc5",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.8.4",
        "1.8.5",
        "1.8.6",
        "1.8.7",
        "1.9.0",
        "1.9.0rc1",
        "1.9.0rc2",
        "1.9.0rc3",
        "1.9.0rc4",
        "1.9.0rc5",
        "1.9.0rc6",
        "1.9.1",
        "1.9.2",
        "1.9.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32977"
  ],
  "details": "OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.",
  "id": "PYSEC-2024-237",
  "modified": "2025-03-05T17:22:29.121263+00:00",
  "published": "2024-05-14T16:17:12+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7"
    },
    {
      "type": "FIX",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4"
    }
  ],
  "related": [
    "GHSA-2vjq-hg5w-5gm7",
    "GHSA-2vjq-hg5w-5gm7"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.