CVE-2024-32977

2024-05-1416:17:12

CWE-290

[email protected]

web.nvd.nist.gov

octoprint

unauthenticated access vulnerability

autologinlocal

authentication bypass

ip spoofing

x-forwarded-for header

patch

version 1.10.0

version 1.10.1

network configuration

hostile networks

7.1 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, spoofing their IP via the X-Forwarded-For header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

Affected configurations

Vulners

Node

octoprintoctoprintRange<1.10.1

VendorProductVersionCPE
octoprintoctoprint*cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octoprint	octoprint	*	cpe:2.3:a:octoprint:octoprint::::::::

CNA Affected

[
  {
    "vendor": "OctoPrint",
    "product": "OctoPrint",
    "versions": [
      {
        "version": "< 1.10.1",
        "status": "affected"
      }
    ]
  }
]