CVE-2023-41047 - OpenCVE

Vendors	Products
Octoprint	Octoprint

Link	Resource
https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db	Patch
https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3	Release Notes
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph	Vendor Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-41047", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-22T16:57:23.933Z", "datePublished": "2023-10-09T15:18:06.331Z", "dateUpdated": "2023-10-09T15:18:06.331Z"}, "containers": {"cna": {"title": "Improper Neutralization of Special Elements Used in a Template Engine in OctoPrint", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph"}, {"name": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", "tags": ["x_refsource_MISC"], "url": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db"}, {"name": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3"}], "affected": [{"vendor": "OctoPrint", "product": "OctoPrint", "versions": [{"version": "< 1.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-09T15:18:06.331Z"}, "descriptions": [{"lang": "en", "value": "OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties."}], "source": {"advisory": "GHSA-fwfg-vprh-97ph", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DDB94E4-F56F-4C7C-A828-B76E70051E66", "versionEndExcluding": "1.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties."}, {"lang": "es", "value": "OctoPrint es una interfaz web para impresoras 3D. Las versiones de OctoPrint hasta la 1.9.2 incluida contienen una vulnerabilidad que permite a administradores malintencionados configurar un script GCODE especialmente manipulado que permitir\u00e1 la ejecuci\u00f3n de c\u00f3digo durante la representaci\u00f3n de ese script. Un atacante podr\u00eda usar esto para extraer datos administrados por OctoPrint o manipular datos administrados por OctoPrint, as\u00ed como ejecutar comandos arbitrarios con los derechos del proceso OctoPrint en el sistema servidor. Se han parcheado las versiones de OctoPrint desde 1.9.3 en adelante. Se recomienda a los administradores de instancias de OctoPrint que se aseguren de que pueden confiar en todos los dem\u00e1s administradores de su instancia y que tampoco configuren ciegamente scripts GCODE arbitrarios que se encuentren en l\u00ednea o que les proporcionen terceros."}], "id": "CVE-2023-41047", "lastModified": "2023-10-13T18:40:38.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-09T16:15:10.480", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

JSON object

JSON object

JSON object