Lucene search

GitHub Advisory DatabaseGHSA-5W5X-Q9P5-9QG3

HistoryAug 16, 2022 - 12:00 a.m.

OctoPrint does not have rate limiting on the login page

2022-08-1600:00:31

CWE-307

GitHub Advisory Database

github.com

octoprint

rate limiting

brute force attacks

fix

repository

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

51.0%

JSON

OctoPrint 1.7.3 and prior does not have rate limiting on the login page, making it possible for attackers to attempt brute force attacks. The severity of this issue is limited by OctoPrint normally running in a restricted LAN. The devel and maintenance branches of the repository have a fix that limits the rate of failed login attempts.

Affected configurations

Vulners

Node

octoprintoctoprintRange≤1.7.3

VendorProductVersionCPE
octoprintoctoprint*cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octoprint	octoprint	*	cpe:2.3:a:octoprint:octoprint::::::::

References

github.com/advisories/GHSA-5w5x-q9p5-9qg3

github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de

huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d

nvd.nist.gov/vuln/detail/CVE-2022-2822

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

51.0%

JSON

Related for GHSA-5W5X-Q9P5-9QG3