CVE-2024-23637 — OctoPrint Unverified Password Change via Access Control Settings

Description

OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.

How to fix CVE-2024-23637

To remediate CVE-2024-23637, upgrade the affected package to a fixed version below.

—upgrade to 1.10.0rc1 or later
—upgrade to 1729d167b4ae4a5835bbc7211b92c6828b1c4125 or later

Is CVE-2024-23637 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.10.0rc1
from 0, < 1729d167b4ae4a5835bbc7211b92c6828b1c4125 | from 0, < 1.10.0rc1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-23637
PATCHgithub.com/OctoPrint/OctoPrint
WEBgithub.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125
WEBgithub.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1