We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-32977

OctoPrint Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled



Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

Reserved 2024-04-22 | Published 2024-05-14 | Updated 2024-08-02 | Assigner GitHub_M


HIGH: 7.1CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-290: Authentication Bypass by Spoofing

Product status

< 1.10.1
affected

References

github.com/...oPrint/security/advisories/GHSA-2vjq-hg5w-5gm7

github.com/...ommit/5afbec8d23508edc25b0f1bdef1620580136add4

cve.org (CVE-2024-32977)

nvd.nist.gov (CVE-2024-32977)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-32977

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.