CVE-2024-23637: Unverified Password Change

January 31, 2024

OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.

References

github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125
github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1
github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr
github.com/advisories/GHSA-5626-pw9c-hmjr
nvd.nist.gov/vuln/detail/CVE-2024-23637

Detect and mitigate CVE-2024-23637 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →