Fluid Attacks Database

Description

OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type OctoPrint prior to version 1.8.3 is vulnerable to Unrestricted Upload of File with Dangerous Type. Due to misconfiguration in move file functionality, an attacker could easily change the file extension of an uploaded malicious file disguised as a .gcode file. Version 1.8.3 contains a patch.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	octoprint	>=0 <1.8.3	1.8.3

Aliases

1. CVE-2022-28722. NVD-2022-28723. OSV-2022-28724. GCVE-2022-2872

References

1. https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b02. https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-286.yaml3. https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.