GHSA-49wm-4fp6-h59c

Suggest an improvement
Source
https://github.com/advisories/GHSA-49wm-4fp6-h59c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-49wm-4fp6-h59c/GHSA-49wm-4fp6-h59c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-49wm-4fp6-h59c
Aliases
Published
2022-09-22T00:00:32Z
Modified
2024-10-07T21:36:48.462736Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type
Details

OctoPrint prior to version 1.8.3 is vulnerable to Unrestricted Upload of File with Dangerous Type. Due to misconfiguration in move file functionality, an attacker could easily change the file extension of an uploaded malicious file disguised as a .gcode file. Version 1.8.3 contains a patch.

References

Affected packages

PyPI / octoprint

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.3

Affected versions

1.*

1.3.11
1.3.12rc1
1.3.12rc3
1.3.12
1.4.0rc1
1.4.0rc2
1.4.0rc3
1.4.0rc4
1.4.0rc5
1.4.0rc6
1.4.0
1.4.1rc1
1.4.1rc2
1.4.1rc3
1.4.1rc4
1.4.1
1.4.2
1.5.0rc1
1.5.0rc2
1.5.0rc3
1.5.0
1.5.1
1.5.2
1.5.3
1.6.0rc1
1.6.0rc2
1.6.0rc3
1.6.0
1.6.1
1.7.0rc1
1.7.0rc2
1.7.0rc3
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0rc1
1.8.0rc2
1.8.0rc3
1.8.0rc4
1.8.0rc5
1.8.0
1.8.1
1.8.2