We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Ok

THREATINT
PUBLISHED

CVE-2024-32977

OctoPrint Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled

Reserved:2024-04-22
Published:2024-05-14
Updated:2024-05-14

Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.



HIGH: 7.1CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-290: Authentication Bypass by Spoofing

Product status

< 1.10.1
affected

References

https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7

https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4

cve.org CVE-2024-32977

nvd.nist.gov CVE-2024-32977

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-32977