HIGH🇬🇧 English

CVE-2024-32977

CVSS 7.1v3.1pub. 2024-05-14upd. 2025-04-10

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

oryginał EN
CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
  • Octoprint

    APP
    Octoprint
    < 1.10.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2018-16710CRITICAL9.1ten sam produkt

OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service v...

CVE-2025-58180HIGH7.5ten sam produkt

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and inclu...

CVE-2022-3068HIGH8.8ten sam produkt

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.

CVE-2022-2930HIGH7.8ten sam produkt

Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.

CVE-2022-2822HIGH7.5ten sam produkt

An attacker can freely brute force username and password and can takeover any account. An attacker could easil...