Homepage
About Snyk

Authentication Bypass by Spoofing Affecting octoprint package, versions [,1.10.1)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-OCTOPRINT-6846228
  • published 15 May 2024
  • disclosed 14 May 2024
  • credit Jacopo Tediosi
Report a new vulnerability Found a mistake?

Introduced: 14 May 2024

CVE-2024-32977 Open this link in a new tab
CWE-290 Open this link in a new tab

How to fix?

Upgrade OctoPrint to version 1.10.1 or higher.

Overview

OctoPrint is a snappy web interface for your 3D printer

Affected versions of this package are vulnerable to Authentication Bypass by Spoofing due to the autologinLocal configuration option. An attacker can bypass authentication controls by spoofing their IP address using the X-Forwarded-For header.

Note: If autologin is not enabled, this vulnerability does not have any impact.

Workaround

OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.1 high
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    Low