CVE-2022-2888

2022-09-2112:15:09

CWE-613

[email protected]

web.nvd.nist.gov

cve-2022-2888

octoprint

session cookie

authentication

account takeover

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.9%

JSON

If an attacker comes into the possession of a victim’s OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim’s account exists.

Affected configurations

NVD

Node

octoprintoctoprintRange<1.8.3

CPENameOperatorVersion
octoprint:octoprintoctoprintlt1.8.3

CPE	Name	Operator	Version
octoprint:octoprint	octoprint	lt	1.8.3

CNA Affected

[
  {
    "product": "octoprint/octoprint",
    "vendor": "octoprint",
    "versions": [
      {
        "lessThan": "1.8.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]