CVE-2024-32977

Advisory

Affected versions of OctoPrint contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact.. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or make the instance inaccessible from potentially hostile networks like the internet.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4
• https://github.com/advisories/GHSA-2vjq-hg5w-5gm7
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32977