Lucene search

GitHub Advisory DatabaseGHSA-49WM-4FP6-H59C

HistorySep 22, 2022 - 12:00 a.m.

OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type

2022-09-2200:00:32

CWE-434

GitHub Advisory Database

github.com

octoprint

vulnerable

file upload

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

OctoPrint prior to version 1.8.3 is vulnerable to Unrestricted Upload of File with Dangerous Type. Due to misconfiguration in move file functionality, an attacker could easily change the file extension of an uploaded malicious file disguised as a .gcode file. Version 1.8.3 contains a patch.

Affected configurations

Vulners

Node

octoprintoctoprintRange<1.8.3

VendorProductVersionCPE
octoprintoctoprint*cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octoprint	octoprint	*	cpe:2.3:a:octoprint:octoprint::::::::

References

github.com/advisories/GHSA-49wm-4fp6-h59c

github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0

github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-286.yaml

huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56

nvd.nist.gov/vuln/detail/CVE-2022-2872