CVE-2022-2822

LOW3.7EPSS 0.28%

OctoPrint does not have rate limiting on the login page

Published: 8/16/2022Modified: 2/16/2024

Description

OctoPrint 1.7.3 and prior does not have rate limiting on the login page, making it possible for attackers to attempt brute force attacks. The severity of this issue is limited by OctoPrint normally running in a restricted LAN. The `devel` and `maintenance` branches of the repository have a fix that limits the rate of failed login attempts.

Affected packages (1)

PyPI/octoprintfrom 0, <= 1.7.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2822
PATCHhttps://github.com/octoprint/octoprint
WEBhttps://github.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de
WEBhttps://huntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d