CVE-2022-2872 : Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/o

Unrestricted Upload of File with Dangerous Type in GitHub repository octoprint/octoprint prior to 1.8.3.

Published 2022-09-21 10:15:09

Updated 2022-09-23 17:58:22

Source huntr.dev

View at NVD, CVE.org

Products affected by CVE-2022-2872

Octoprint » Octoprint
Versions before (<) 1.8.3
cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 22 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.7	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N	1.2	2.5	huntr.dev
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: security@huntr.dev (Primary)

https://huntr.dev/bounties/b966c74d-6f3f-49fe-b40a-eaf25e362c56

Unrestricted File Upload Allowed due to Flawed Move File Functionality vulnerability found in octoprint
Exploit;Patch;Third Party Advisory
https://github.com/octoprint/octoprint/commit/3e3c11811e216fb371a33e28412df83f9701e5b0

🔒️ Enforce valid type on copy/move of uploads · OctoPrint/OctoPrint@3e3c118 · GitHub
Patch;Third Party Advisory

Jump to