CVE-2024-32977: OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
(updated )
OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, by spoofing their IP via the X-Forwarded-For header.
If autologin is not enabled, this vulnerability does not have any impact.
References
- github.com/OctoPrint/OctoPrint
- github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4
- github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7
- github.com/advisories/GHSA-2vjq-hg5w-5gm7
- github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-237.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-32977
Code Behaviors & Features
Detect and mitigate CVE-2024-32977 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →