HIGH🇵🇱 Wersja polska

CVE-2024-32977

CVSS 7.1v3.1pub. 2024-05-14upd. 2025-04-10

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
  • Octoprint

    APP
    Octoprint
    < 1.10.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2018-16710CRITICAL9.1ten sam produkt

OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service v...

CVE-2025-58180HIGH7.5ten sam produkt

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and inclu...

CVE-2022-3068HIGH8.8ten sam produkt

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.

CVE-2022-2930HIGH7.8ten sam produkt

Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.

CVE-2022-2822HIGH7.5ten sam produkt

An attacker can freely brute force username and password and can takeover any account. An attacker could easil...