CVE-2024-51493: OctoPrint has API key access in settings without reauthentication
(updated )
OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim’s OctoPrint browser session to retrieve/recreate/delete the user’s or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account’s password.
An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.
References
- github.com/OctoPrint/OctoPrint
- github.com/OctoPrint/OctoPrint/commit/9bc80d782d72881b16e20873dcd0b8314324c70c
- github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953
- github.com/advisories/GHSA-cc6x-8cc7-9953
- github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-202.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-51493
Code Behaviors & Features
Detect and mitigate CVE-2024-51493 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →