Homepage
About Snyk

Unverified Password Change Affecting octoprint package, versions [,1.10.0rc1)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-OCTOPRINT-6226360
  • published 1 Feb 2024
  • disclosed 31 Jan 2024
  • credit tkruppert
Report a new vulnerability Found a mistake?

Introduced: 31 Jan 2024

CVE-2024-23637 Open this link in a new tab
CWE-620 Open this link in a new tab

How to fix?

Upgrade OctoPrint to version 1.10.0rc1 or higher.

Overview

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Unverified Password Change via the access control settings. An attacker can change the password of other admin accounts without having to verify their current password by exploiting this vulnerability. This is only exploitable if the attacker has already hijacked an admin account.

Workaround

OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
4.2 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

4.9 medium