GHSA-937f-qh3w-6g87

Source

https://github.com/advisories/GHSA-937f-qh3w-6g87

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-937f-qh3w-6g87/GHSA-937f-qh3w-6g87.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-937f-qh3w-6g87

Aliases

Published

2022-09-22T00:00:31Z

Modified

2024-10-08T13:04:57.118601Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

OctoPrint vulnerable to Insufficient Session Expiration.

Details

If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. This issue is fixed in version 1.8.3.

Database specific

{
    "nvd_published_at": "2022-09-21T12:15:00Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-613"
    ],
    "github_reviewed_at": "2022-09-23T19:41:15Z"
}

References

Affected packages

PyPI / octoprint

Package

Name: octoprint; View open source insights on deps.dev
Purl: pkg:pypi/octoprint

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.3

Affected versions

1.*

1.3.11

1.3.12rc1

1.3.12rc3

1.3.12

1.4.0rc1

1.4.0rc2

1.4.0rc3

1.4.0rc4

1.4.0rc5

1.4.0rc6

1.4.0

1.4.1rc1

1.4.1rc2

1.4.1rc3

1.4.1rc4

1.4.1

1.4.2

1.5.0rc1

1.5.0rc2

1.5.0rc3

1.5.0

1.5.1

1.5.2

1.5.3

1.6.0rc1

1.6.0rc2

1.6.0rc3

1.6.0

1.6.1

1.7.0rc1

1.7.0rc2

1.7.0rc3

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0rc1

1.8.0rc2

1.8.0rc3

1.8.0rc4

1.8.0rc5

1.8.0

1.8.1

1.8.2