OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type

GHSA-49wm-4fp6-h59c · CVE-2022-2872 · PYSEC-2022-286

Published Sep 22, 2022 · Modified Oct 7, 2024

Description

OctoPrint prior to version 1.8.3 is vulnerable to Unrestricted Upload of File with Dangerous Type. Due to misconfiguration in move file functionality, an attacker could easily change the file extension of an uploaded malicious file disguised as a .gcode file. Version 1.8.3 contains a patch.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-2872
WEB https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0
PACKAGE https://github.com/octoprint/octoprint
WEB https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-286.yaml
WEB https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes