CVE-2024-32977

OctoPrint Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

OctoPrint proporciona una interfaz web para controlar impresoras 3D de consumo. Las versiones de OctoPrint hasta la 1.10.0 incluida contienen una vulnerabilidad que permite a un atacante no autenticado omitir completamente la autenticación si la opción `autologinLocal` está habilitada dentro de `config.yaml`, incluso si provienen de redes que no están configuradas como `localNetworks `, falsificando su IP a través del encabezado `X-Forwarded-For`. Si el inicio de sesión automático no está habilitado, esta vulnerabilidad no tiene ningún impacto. La vulnerabilidad ha sido parcheada en la versión 1.10.1. Hasta que se haya aplicado el parche, los administradores de OctoPrint que tengan habilitado el inicio de sesión automático en sus instancias deben deshabilitarlo y/o hacer que la instancia sea inaccesible desde redes potencialmente hostiles como Internet.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.1

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-22 CVE Reserved
2024-05-14 CVE Published
2024-05-15 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-290: Authentication Bypass by Spoofing

CAPEC

References (2)

URL	Tag	Source
https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4	X_refsource_misc
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
OctoPrint Search vendor "OctoPrint"		OctoPrint Search vendor "OctoPrint" for product "OctoPrint"				< 1.10.1 Search vendor "OctoPrint" for product "OctoPrint" and version " < 1.10.1"		en		Affected