Lucene search

GitHub Advisory DatabaseGHSA-X9RQ-FJP5-QGM9

HistoryMay 24, 2022 - 7:02 p.m.

OctoPrint Incorrect Access Control

2022-05-2419:02:06

CWE-284

GitHub Advisory Database

github.com

octoprint

logging subsystem

access control

file management

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.0%

JSON

The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not *.log files.

Affected configurations

Vulners

Node

octoprintoctoprintRange<1.6.0

VendorProductVersionCPE
octoprintoctoprint*cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octoprint	octoprint	*	cpe:2.3:a:octoprint:octoprint::::::::

References

github.com/advisories/GHSA-x9rq-fjp5-qgm9

github.com/OctoPrint/OctoPrint/releases/tag/1.6.0

nvd.nist.gov/vuln/detail/CVE-2021-32560

octoprint.org/blog/2021/04/27/new-release-1.6.0/

www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.0%

JSON

Related for GHSA-X9RQ-FJP5-QGM9