GitHub_MCVELIST:CVE-2024-32977CVE-2024-32977 OctoPrint Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS
Percentile
9.0%
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, spoofing their IP via the X-Forwarded-For header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.
CNA Affected
[
{
"vendor": "OctoPrint",
"product": "OctoPrint",
"versions": [
{
"version": "< 1.10.1",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
ADJACENT
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS
Percentile
9.0%