CVE-2022-2888
MEDIUM4.4EPSS 0.05%OctoPrint vulnerable to Insufficient Session Expiration.
Published: 9/22/2022Modified: 10/8/2024
Description
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists. This issue is fixed in version 1.8.3.
Affected packages (2)
- PyPI/octoprintfrom 0, < 1.8.3
- PyPI/octoprintfrom 0, < 40e6217ac1a85cc5ed592873ae49db01d3005da4 | from 0, < 1.8.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.4 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-2888
- PATCHhttps://github.com/octoprint/octoprint
- WEBhttps://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-282.yaml
- WEBhttps://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629