Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-32977

Good to know:

icon
icon

Date: May 14, 2024

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the "autologinLocal" option is enabled within "config.yaml", even if they come from networks that are not configured as "localNetworks", spoofing their IP via the "X-Forwarded-For" header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

Language: Python

Severity Score

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2024-32977
https://github.com/OctoPrint/OctoPrint
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7
https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4
https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-237.yaml
https://www.mend.io/vulnerability-database/CVE-2024-32977

Severity Score

Weakness Type (CWE)

Authentication Bypass by Spoofing

CWE-290

Top Fix

icon

Upgrade Version

Upgrade to version octoprint - 1.10.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): ADJACENT_NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): LOW

Do you need more information?

Contact Us