PYSEC-2024-237
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/octoprint/PYSEC-2024-237.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2024-237
- Aliases
- Related
- Published
- 2024-05-14T16:17:12Z
- Modified
- 2025-03-05T17:57:14.727995Z
- Severity
-
- 9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
- Summary
- [none]
- Details
-
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the
autologinLocaloption is enabled withinconfig.yaml, even if they come from networks that are not configured aslocalNetworks, spoofing their IP via theX-Forwarded-Forheader. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet. - References
Affected packages
PyPI / octoprint
Package
- Name
- octoprint
- View open source insights on deps.dev
- Purl
- pkg:pypi/octoprint
Affected ranges
- Type
- GIT
- Repo
- https://github.com/octoprint/octoprint
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10.1