Safety vulnerability ID: 64727
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Octoprint 1.9.3 fixes the CVE-2023-41047. This vulnerability allowed malicious admins to set up a specially designed GCODE script via the settings, enabling code execution during the rendering of the script. An attacker could exploit this to extract, and manipulate data managed by OctoPrint, or execute arbitrary commands with the rights of the OctoPrint process on the server system. However, GCODE files intended for printing were not affected. This vulnerability specifically impacted GCODE Scripts configured during printer connection, pause, resume, etc., accessible only by users with ADMIN permissions.
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph
Latest version: 1.10.3
The snappy web interface for your 3D printer
<p align="center">
<a href="https://octoprint.org/support-octoprint/" target="_blank"><img width="100%" src="https://gist.githubusercontent.com/foosel/8da9b09112c17ac8831735b7c18ac9e7/raw/938338fc55891ee9e28dee943823477d3e7bb14f/banner.svg"></a>
</p>
✋ Heads-ups
**The heads-ups from 1.9.0 still apply**, please read this release's [release notes](https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.0) as well for a full picture of what you should be aware of and what changed!
⛈ Issues while updating?
On every new OctoPrint release we see some people run into the same issues with outdated or broken environments all over again. If you encounter a problem during update, please check [this collection of the most common issues](https://community.octoprint.org/t/my-octoprint-update-fails/37880) encountered over the past couple of release cycles first, and test if the included fixes solve your problem.
♻ Changes
🔒 Security fixes
- Severity Medium (6.4): It was possible for a malicious admin to configure a specially crafted [GCODE script](https://docs.octoprint.org/en/master/features/gcode_scripts.html) through the Settings that would allow code execution during rendering of that script. An attacker could have used this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system.
Please note that GCODE files uploaded to be printed were not affected! This vulnerability exclusively affected GCODE Scripts to be executed on connection to the printer, print pause, resume etc, as described [in the documentation](https://docs.octoprint.org/en/master/features/gcode_scripts.html), to be found under Settings > GCODE Scripts and configurable only by users with the `ADMIN` permission.
See also the [GitHub Security Advisory](https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph) and [CVE-2023-41047](https://nvd.nist.gov/vuln/detail/CVE-2023-41047).
🐛 Bug fixes
- [4849](https://github.com/OctoPrint/OctoPrint/issues/4849) & [PR#4860](https://github.com/OctoPrint/OctoPrint/pull/4860): Fix for not being able to extrude/retract from the control panel in the UI after editing the extrusion speed in the printer profile.
- [4893](https://github.com/OctoPrint/OctoPrint/issues/4893): Pin pydantic dependency to 1.10.12. This works around an issue existing in some environments with pydantic version 1.10.13, which was released on September 26 2023. Said issue causes OctoPrint to no longer be able to start. See also [pydantic/pydantic#7689](https://github.com/pydantic/pydantic/issues/7689).
🎉 Special thanks to all the contributors!
Special thanks to everyone who contributed to this bugfix release, especially to [srLinux](https://github.com/srLinux) for their PR!
Also a big thank you to tianxin Wu (Bearcat), Vulnerability Researcher at Numen Cyber Labs, Singapore, for responsibly disclosing the security vulnerability that was fixed in this release.
🔗 More information
* [Commits](https://github.com/OctoPrint/OctoPrint/compare/1.9.2...1.9.3)
* As this is a bugfix release, there were no release candidates
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application