CVE-2024-32977 HIGH

CVE-2024-32977: OctoPrint Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled

Vendor Octoprint
Product OctoPrint
Weakness CWE-290
Published May 14, 2024
Last update August 2, 2024

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

Key dates

02Disclosure timeline

May 14, 2024 CVE published
August 2, 2024 Record updated