OctoPrint does not have rate limiting on the login page

GHSA-5w5x-q9p5-9qg3 · CVE-2022-2822

Published Aug 16, 2022 · Modified Feb 16, 2024

Description

OctoPrint 1.7.3 and prior does not have rate limiting on the login page, making it possible for attackers to attempt brute force attacks. The severity of this issue is limited by OctoPrint normally running in a restricted LAN. The devel and maintenance branches of the repository have a fix that limits the rate of failed login attempts.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-2822
WEB https://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de
PACKAGE https://github.com/octoprint/octoprint
WEB https://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes