CVE-2024-51493

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*

History

18 Dec 2024, 16:34

Type	Values Removed	Values Added
CWE	~~CWE-620~~	CWE-306
References	~~() https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953 -~~	() https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Octoprint Octoprint octoprint
CPE		cpe:2.3:a:octoprint:octoprint::::::::

05 Nov 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-05 19:15

Updated : 2024-12-18 16:34

NVD link : CVE-2024-51493

Mitre link : CVE-2024-51493

JSON object : View

Products Affected

octoprint

octoprint

CWE

CWE-306

Missing Authentication for Critical Function

6.5 /10