CVE-2024-32977

Name of the Vulnerable Software and Affected Versions OctoPrint versions up to and including 1.10.0

Description OctoPrint provides a web interface for controlling consumer 3D printers. The issue allows an unauthenticated attacker to bypass authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, by spoofing their IP via the X-Forwarded-For header. This vulnerability does not have any impact if autologin is not enabled.

Recommendations For OctoPrint versions up to and including 1.10.0, update to version 1.10.1 to resolve the issue. As a temporary workaround, consider disabling the autologinLocal option within config.yaml until a patch is applied. Restrict access to the instance from potentially hostile networks like the internet to minimize the risk of exploitation.