CVE-2024-23637

Advisory

OctoPrint 1.10.0rc1 addresses the CVE-2024-23637. This vulnerability allowed unauthorized admins to alter the passwords of other admin accounts, potentially leading to account lockouts and loss of control over the OctoPrint instance. The update resolves this by enforcing proper authentication procedures. It is recommended that all OctoPrint administrators review their access controls to prevent potential exploitation of this vulnerability.
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr

Affected package

Affected versions

Fixed versions

Vulnerability changelog

⚠️ Important note on release candidates

This is a **R**elease **C**andidate of OctoPrint. It is not a stable release: severe bugs can occur, and they can be bad enough that they make a manual downgrade to an earlier version necessary - maybe even from the command line.

You should be comfortable with and capable of possibly having to do this before installing an RC.

🔁 Feedback on this RC

Please provide *general* feedback on this RC [in this ticket](https://github.com/OctoPrint/OctoPrint/issues/4938). An "All is working fine" is valuable feedback as well because it tells me people are actually testing this RC and just not finding problems with it.

**If you run into any obvious bugs, please follow ["How to file a bug report"](https://github.com/foosel/OctoPrint/blob/master/CONTRIBUTING.md#how-to-file-a-bug-report)** - I need logs and reproduction steps to fix issues, not just the information that something doesn't work.

Thanks!

Things to take a closer look at

For this RC, these things should get a closer look while testing, if possible:

- Proper behaviour when using the included web interface as well as any third party clients at your disposal.
- User and group management functioning as expected.
- Plugin installation functioning as expected.
- Application key management functioning as expected. Authentication workflow with third party clients at your disposal (e.g. slicers) works as it should.

🔒 Security fixes

- Severity Moderate (4.2): It was possible for admins to perform password changes for their own account or others via the Settings dialog without having to re-enter their password. A malicious administrator or an attacker having taken over an administrator's session could have used this to effectively lock out users from their accounts.

This has now been fixed by introducing a reauthentication requirement on changing passwords in the Settings. Unless the user has authenticated with their password (and other credentials possibly in the future) in the past 5min of their login session, a reauthentication dialog to re-enter the credentials will be shown, and only after that has done properly will the request work. This reauthentication dialog has also been added to other critical operations (adding, changing and deleting users, adding, changing and deleting groups, installing plugins, revealing the deprecated global API key, generating, revoking, revealing and granting application keys, accessing the recovery page). The reauthentication timeout of 5min is configurable via `config.yaml`, see the documentation.

See also the [GitHub Security Advisory](https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr) and [CVE-2024-23637](https://nvd.nist.gov/vuln/detail/CVE-2024-23637).

✨ Features & improvements

Core

- [4586](https://github.com/OctoPrint/OctoPrint/issues/4586): Added the capability report of the firmware as returned from `M115` to `octoprint.log` and also the systeminfo bundle in shape of a new `m115.txt` file that gets generated if the bundle gets created while there's an active printer connection.
- [4617](https://github.com/OctoPrint/OctoPrint/issues/4617): Added a manual refresh button to the webcam view that allows to reload the underlying webcam stream (if webcam plugin supports that by having implemented `onWebcamRefresh` in its viewmodel, otherwise the button will be a no-op). Only gets made visible when hovering over the webcam.
- [4681](https://github.com/OctoPrint/OctoPrint/issues/4681): Added information on old and new file to the "file already exists dialog". See also [PR#4721](https://github.com/OctoPrint/OctoPrint/pull/4721).
- [4685](https://github.com/OctoPrint/OctoPrint/issues/4685): Implemented [a custom versioning tool](https://github.com/OctoPrint/OctoPrint/blob/maintenance/src/octoprint/_version.py) to replace the so far used customized version of `versioneer` that has gotten quite long in the tooth. It should behave the same, but with way less code to keep maintained.
- [4714](https://github.com/OctoPrint/OctoPrint/issues/4714): Added a new dialog that gets displayed when the printer reports an unrecoverable error, containing the error message, what happened due to that error (print cancellation, disconnect), if available a link to an FAQ entry, the last lines of communication and a big reminder that printer errors are *printer* errors and not OctoPrint's fault. The dialog will be automatically opened on connected clients, however it can also be accessed later by clicking on the new error icon added to the printer state panel.
- [4747](https://github.com/OctoPrint/OctoPrint/issues/4747): Made temperature graph time axis always show the configured cutoff interval. That should prevent any jumping of events.
- [4760](https://github.com/OctoPrint/OctoPrint/issues/4760): Made OctoPrint compatible to Python 3.12.
- [4764](https://github.com/OctoPrint/OctoPrint/issues/4764): Refactored the Tornado/WSGI interface based on the current Tornado code to make it async. That fixed the issue with connection reuse and as a very welcome side effect also very much increased the performance of the internal web server in general. Long running Flask endpoints now should no longer be able to fully block Tornado, and requests can get parallelized by the frontend, leading to a large reduction of time needed to fully load the UI.
- [4838](https://github.com/OctoPrint/OctoPrint/issues/4838): Improved performance of the internal settings data structure, reducing the initial settings fetch right after a server start from 2s+ to 400-700ms.
- [4843](https://github.com/OctoPrint/OctoPrint/issues/4843): Made the upload drop zone an optional feature that can be disabled in the settings. See also [PR#4853](https://github.com/OctoPrint/OctoPrint/pull/4853).
- [4866](https://github.com/OctoPrint/OctoPrint/issues/4866): Added axis labels to model size info. See also [PR#4898](https://github.com/OctoPrint/OctoPrint/pull/4898).
- [4880](https://github.com/OctoPrint/OctoPrint/issues/4880): Removed `scripts` folder from repo.
- [4881](https://github.com/OctoPrint/OctoPrint/issues/4881): Display an error popup in case of startup issues due to inaccessible application directories.
- [4892](https://github.com/OctoPrint/OctoPrint/issues/4892): Keep tool change controls enabled while printing.
- [4921](https://github.com/OctoPrint/OctoPrint/issues/4921): Added graph markers for the `Connected` and `Disconnected` events to the temperature graph.
- [PR4743](https://github.com/OctoPrint/OctoPrint/pull/4743): Migrate from `netifaces` to the pretty much drop-in replacement `netifaces2`, since the former has been abandoned.
- [PR4752](https://github.com/OctoPrint/OctoPrint/pull/4752): Send initial history message when the web socket subscription is changed.
- [PR4820](https://github.com/OctoPrint/OctoPrint/pull/4752): Added file and print head position to paused and cancel event & log entries.
- [PR4833](https://github.com/OctoPrint/OctoPrint/pull/4833): Improved first run wizard safety hints. They are now visually more alerting and the wizard now also requires the user to acknowledge having read and understood each warning by checking a checkbox.
- [PR4874](https://github.com/OctoPrint/OctoPrint/pull/4874): Added new `Thermal Malfunction` error to recognized as a kill inducing error on Marlin.
- [PR4899](https://github.com/OctoPrint/OctoPrint/pull/4899): Removed the upper version pin for the `argon2-cffi` dependency.
- [PR4918](https://github.com/OctoPrint/OctoPrint/pull/4918): Made target temperature lines in the temperature graph dashed. Improves accessibility for color blind users.
- [PR4928](https://github.com/OctoPrint/OctoPrint/pull/4928): Further improve screen reader accessibility.
- Use a file `<basefolder>/.incomplete_startup` to flag an incomplete startup instead of a `config.yaml` entry. Makes it easier to reconfigure the server in CI situations.
- Improved the UX of the systeminfo CLI. `octoprint systeminfo` will now generate a bundle in the current directory even without an explicitly added `.` parameter. `octoprint systeminfo --short` has been added to generated an abridged version directly on the command line. This should clear up issues we saw in the past where people forgot the `.` and then just pasted the abridged text only version when in fact a bundle was needed and requested.
- Added `progress` to `PrintFailed`, `PrintCancelled` and `PrintPaused` events.
- Added `operation` to `FileRemoved` event. Allows distinguishing between a removal due to an actual `remove` or a `move`.
- Added a funding banner to the About dialog and a funding link to the footer.

Achievement Plugin (✨ New!)

Added a new bundled Achievements plugin! OctoPrint will now internally record some instance stats and monitor some events and based on that give out various achievements. This version contains 36 achievements, 22 of which are hidden and for you to be discovered. Additionally, the instance stats are also being recorded per year to make it possible in the future to give you some yearly stats overview of your OctoPrint and printing use.

Action Command Notification Plugin

- [4326](https://github.com/OctoPrint/OctoPrint/issues/4326): Added ability to ignore incoming printer notifications based on a filter regex. This is to combat notification spam by firmwares which abuse the feature. Please talk to your firmware provider about not abusing the notification action command for things triggered by the user, e.g. mirroring `M117` commands! See also [PR#4886](https://github.com/OctoPrint/OctoPrint/pull/4886).

Application Keys Plugin

- [4894](https://github.com/OctoPrint/OctoPrint/issues/4894): Added application key details incl. QR Code to user settings. See also [PR#4895](https://github.com/OctoPrint/OctoPrint/pull/4895).

Classic Webcam Plugin

- [4837](https://github.com/OctoPrint/OctoPrint/issues/4837): Apply the selected camera aspect ratio to its `video` tag.

Discovery Plugin

- Updated the `zeroconf` dependency.

Event Manager Plugin

- [4869](https://github.com/OctoPrint/OctoPrint/issues/4869): Added UI support for events with multiple triggers. See also [PR#4851](https://github.com/OctoPrint/OctoPrint/pull/4851).

Plugin Manager Plugin

- Removed an unused variable.

Software Update Plugin

- [4819](https://github.com/OctoPrint/OctoPrint/issues/4819): OctoPrint will now be clearly marked as not updateable when running on Windows.

Virtual Printer Plugin

- [PR4799](https://github.com/OctoPrint/OctoPrint/pull/4799): Added support for generating an area report as part of the response to `M115`.
- Made the simulated errors configurable via the settings.

Documentation

- [4787](https://github.com/OctoPrint/OctoPrint/issues/4787): Added a note to the documentation of the `SettingsPlugin` mixin that updating settings will trigger a reload screen.
- [4852](https://github.com/OctoPrint/OctoPrint/issues/4852): Updated the plugin tutorial to reflect current CLI outputs.
- [PR4823](https://github.com/OctoPrint/OctoPrint/pull/4823): Slight improvement on the pause GCODE script.

Testing & CI

- [4908](https://github.com/OctoPrint/OctoPrint/issues/4908): Automatically publish release build artifacts on GitHub Releases as well as PyPI.
- Updated the `node-qunit-puppeteer` version to combat some JS unit test flakyness.
- Run the E2E tests against the lowest and highest supported Python version, to make sure things work on both edge cases.
- Updated `playwright` used for the E2E tests.

🐛 Bug fixes

Core

- [4719](https://github.com/OctoPrint/OctoPrint/issues/4719): Normalize paths in file manager methods and called hooks and events.
- [4753](https://github.com/OctoPrint/OctoPrint/issues/4753): Fixed an error when attempting to set a custom logging level under certain circumstances.
- [4756](https://github.com/OctoPrint/OctoPrint/issues/4756): Fixed including variables in GCODE scripts from more than one plugin. See also [PR#4757](https://github.com/OctoPrint/OctoPrint/pull/4757).
- [4769](https://github.com/OctoPrint/OctoPrint/issues/4769): Fixed a translation error in the included german language files. See also [PR#4897](https://github.com/OctoPrint/OctoPrint/pull/4897).
- [4800](https://github.com/OctoPrint/OctoPrint/issues/4800): Fixed folder sorting by date of last print.
- [4808](https://github.com/OctoPrint/OctoPrint/issues/4808): Fixed wrong initial field set in printer state (`printTimeOrigin` instead of the correct `printTimeLeftOrigin`).
- [4812](https://github.com/OctoPrint/OctoPrint/issues/4812): Fixed `octoprint systeminfo .`
- [PR4830](https://github.com/OctoPrint/OctoPrint/pull/4830): Fixed translateability of the filament usage information in the state panel.
- [4835](https://github.com/OctoPrint/OctoPrint/issues/4835): Fixed `octoprint get` not properly returning sub trees for plugin settings hierarchies, due to a missing initialization.
- [4841](https://github.com/OctoPrint/OctoPrint/issues/4841): Fixed a broken knockout binding in the GCODE Viewer's size warning dialog, leading to the file name missing. See also [PR#4842](https://github.com/OctoPrint/OctoPrint/pull/4842).
- [4843](https://github.com/OctoPrint/OctoPrint/issues/4843): Don't trigger the drop zone for uploading files when not dragging files. Fixes issues when accidentally dragging selected text and similar.
- [4867](https://github.com/OctoPrint/OctoPrint/issues/4867): Fixed a warning about using the old webcam settings access path.
- [4903](https://github.com/OctoPrint/OctoPrint/issues/4903): Hardened temperature offset code against empty temperature commands and added logging for such cases.
- [4922](https://github.com/OctoPrint/OctoPrint/issues/4922): Fixed sorting of folder list in "move or rename file" dialog.
- [4929](https://github.com/OctoPrint/OctoPrint/issues/4929): Fixed a regression in the webcam styles that caused issues with the (abandoned) third party plugin TouchUI. See also [PR#4930](https://github.com/OctoPrint/OctoPrint/pull/4930).
- [PR4794](https://github.com/OctoPrint/OctoPrint/pull/4794): Protect against issues when a double slash is contained in the timelapse base folder, leading to not being able to delete timelapses.
- Keep updating the temperature graph with empty entries even while disconnected, to ensure events shown there properly reflect their point in time from "now".
- Enabled CORS on asset plugins.
- Fixed some warnings in the vendored `awesome-slugify` dependency.

Classic Webcam Plugin

- [4885](https://github.com/OctoPrint/OctoPrint/issues/4885): Fixed snapshot timeout & SSL validation settings.

Discovery Plugin

- [4814](https://github.com/OctoPrint/OctoPrint/issues/4814): Join multicast group for SSDP discovery on all available addresses. Fixes issues with discovery on VLAN enabled hosts.

Plugin Manager Plugin

- Properly handle unset plugin versions in plugin notifications from the repository, e.g. when attempting to load notifications for a bundled plugin (which normally shouldn't happen, but turned out to happen during development thanks to an identifier clash).

Software Update Plugin

- Fixed `httpheader` check type. It was not storing its current value properly.

Virtual Printer Plugin

- [4907](https://github.com/OctoPrint/OctoPrint/issues/4907): Fixed a race condition related to `G4` and `wait`.

Documentation

- [4906](https://github.com/OctoPrint/OctoPrint/issues/4906): Adjusted documentation to reflect correct name for `logsViewModel` dependency.
- [PR4815](https://github.com/OctoPrint/OctoPrint/pull/4815): Updated documentation of `PrinterInterface.set_temperature` to reflect the current implementation.
- [PR4868](https://github.com/OctoPrint/OctoPrint/pull/4868): Removed some repeating words.
- Clarify how to reconfigure log formatters. OctoPrint now either uses `simple` or `colored` formatters for the console log output, this still needed to get properly documented.

🎉 Special thanks to all the contributors!

Special thanks to everyone who contributed to this RC, especially to 0r31, bigfoxtail, CMR-DEV, cociweb, cperrin88, credomane, crysxd, danielkucera, dawidpieper, eumiro, evanwurden, hynek, jatin-47, jneilliii , kaenguruhs, mad73923, max246, MichaIng, mintsoft, neod123 and thinkyhead for their PRs!

And an extra shoutout to our 13 first time contributors: bigfoxtail, CMD-DEV, cociweb, cperrin88, credomane, danielkucera, evanwurden, hynek, jatin-47, kaenguruhs, mad73923, mintsoft and neod123! 🎉

Also a big thank you to [Timothy "TK" Ruppert](https://github.com/tkruppert) for responsibly disclosing the security vulnerability that was fixed in this release.

🔗 More information

- [Commits](https://github.com/OctoPrint/OctoPrint/compare/1.9.3...1.10.0rc1)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23637