Lucene search

GitHub_MCVELIST:CVE-2024-23637

HistoryJan 31, 2024 - 6:01 p.m.

CVE-2024-23637 OctoPrint Unverified Password Change via Access Control Settings

2024-01-3118:01:58

CWE-287

CWE-620

GitHub_M

www.cve.org

octoprint

password change

vulnerability

3d printer

access control

security patch

4.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.2%

JSON

OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.

CNA Affected

[
  {
    "vendor": "OctoPrint",
    "product": "OctoPrint",
    "versions": [
      {
        "version": "< 1.10.0rc1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125

github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1

github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr