Vulnerability Details CVE-2024-32977
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 28.0%
CVSS Severity
CVSS v3 Score 7.1
References
- https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4
- https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7
- https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4
- https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7
Products affected by CVE-2024-32977
-
cpe:2.3:a:octoprint:octoprint:-
-
cpe:2.3:a:octoprint:octoprint:0.1.0
-
cpe:2.3:a:octoprint:octoprint:0.1.1
-
cpe:2.3:a:octoprint:octoprint:0.1.2
-
cpe:2.3:a:octoprint:octoprint:1.0.0
-
cpe:2.3:a:octoprint:octoprint:1.1.0
-
cpe:2.3:a:octoprint:octoprint:1.1.1
-
cpe:2.3:a:octoprint:octoprint:1.1.2
-
cpe:2.3:a:octoprint:octoprint:1.10.0
-
cpe:2.3:a:octoprint:octoprint:1.2.0
-
cpe:2.3:a:octoprint:octoprint:1.2.1
-
cpe:2.3:a:octoprint:octoprint:1.2.10
-
cpe:2.3:a:octoprint:octoprint:1.2.11
-
cpe:2.3:a:octoprint:octoprint:1.2.12
-
cpe:2.3:a:octoprint:octoprint:1.2.13
-
cpe:2.3:a:octoprint:octoprint:1.2.14
-
cpe:2.3:a:octoprint:octoprint:1.2.15
-
cpe:2.3:a:octoprint:octoprint:1.2.16
-
cpe:2.3:a:octoprint:octoprint:1.2.17
-
cpe:2.3:a:octoprint:octoprint:1.2.18
-
cpe:2.3:a:octoprint:octoprint:1.2.2
-
cpe:2.3:a:octoprint:octoprint:1.2.3
-
cpe:2.3:a:octoprint:octoprint:1.2.4
-
cpe:2.3:a:octoprint:octoprint:1.2.5
-
cpe:2.3:a:octoprint:octoprint:1.2.6
-
cpe:2.3:a:octoprint:octoprint:1.2.7
-
cpe:2.3:a:octoprint:octoprint:1.2.8
-
cpe:2.3:a:octoprint:octoprint:1.2.9
-
cpe:2.3:a:octoprint:octoprint:1.3.0
-
cpe:2.3:a:octoprint:octoprint:1.3.1
-
cpe:2.3:a:octoprint:octoprint:1.3.10
-
cpe:2.3:a:octoprint:octoprint:1.3.11
-
cpe:2.3:a:octoprint:octoprint:1.3.12
-
cpe:2.3:a:octoprint:octoprint:1.3.2
-
cpe:2.3:a:octoprint:octoprint:1.3.3
-
cpe:2.3:a:octoprint:octoprint:1.3.4
-
cpe:2.3:a:octoprint:octoprint:1.3.5
-
cpe:2.3:a:octoprint:octoprint:1.3.6
-
cpe:2.3:a:octoprint:octoprint:1.3.7
-
cpe:2.3:a:octoprint:octoprint:1.3.8
-
cpe:2.3:a:octoprint:octoprint:1.3.9
-
cpe:2.3:a:octoprint:octoprint:1.4.0
-
cpe:2.3:a:octoprint:octoprint:1.4.1
-
cpe:2.3:a:octoprint:octoprint:1.4.2
-
cpe:2.3:a:octoprint:octoprint:1.5.0
-
cpe:2.3:a:octoprint:octoprint:1.5.1
-
cpe:2.3:a:octoprint:octoprint:1.5.2
-
cpe:2.3:a:octoprint:octoprint:1.5.3
-
cpe:2.3:a:octoprint:octoprint:1.6.0
-
cpe:2.3:a:octoprint:octoprint:1.6.1
-
cpe:2.3:a:octoprint:octoprint:1.7.0
-
cpe:2.3:a:octoprint:octoprint:1.7.1
-
cpe:2.3:a:octoprint:octoprint:1.7.2
-
cpe:2.3:a:octoprint:octoprint:1.7.3
-
cpe:2.3:a:octoprint:octoprint:1.8.0
-
cpe:2.3:a:octoprint:octoprint:1.8.1
-
cpe:2.3:a:octoprint:octoprint:1.8.2
-
cpe:2.3:a:octoprint:octoprint:1.8.3
-
cpe:2.3:a:octoprint:octoprint:1.9.3