CVE-2024-32977
published 2024-05-14CVE-2024-32977: OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows…
PriorityP265critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.90%
55.1th percentile
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| octoprint | octoprint | < 1.10.1 | 1.10.1 |
| octoprint | octoprint | < 5afbec8d23508edc25b0f1bdef1620580136add4 | 5afbec8d23508edc25b0f1bdef1620580136add4 |
| octoprint | octoprint | >= 0 < 5afbec8d23508edc25b0f1bdef1620580136add4 | 5afbec8d23508edc25b0f1bdef1620580136add4 |
| octoprint | octoprint | >= 0 < 1.10.1 | 1.10.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-32977: OctoPrint provides a web interface for controlling consumer 3D printers
osv·2024-05-14
CVE-2024-32977 CVE-2024-32977: OctoPrint provides a web interface for controlling consumer 3D printers
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.
GHSA
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
ghsa·2024-05-14
CVE-2024-32977 [HIGH] CWE-290 OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
### Impact
OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication **if the `autologinLocal` option is enabled** within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, by spoofing their IP via the `X-Forwarded-For` header.
If autologin is not enabled, this vulnerability does not have any impact.
### Patches
The vulnerability has been patched in version 1.10.1.
### Workaround
Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potential
OSV
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
osv·2024-05-14
CVE-2024-32977 [HIGH] OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
### Impact
OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication **if the `autologinLocal` option is enabled** within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, by spoofing their IP via the `X-Forwarded-For` header.
If autologin is not enabled, this vulnerability does not have any impact.
### Patches
The vulnerability has been patched in version 1.10.1.
### Workaround
Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potential
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7
2024-05-14
Published