CVE-2022-2888

If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4	Patch Third Party Advisory
https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629	Exploit Patch Third Party Advisory
https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4	Patch Third Party Advisory
https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:01

Type	Values Removed	Values Added
References	~~() https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4 - Patch, Third Party Advisory~~	() https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4 - Patch, Third Party Advisory
References	~~() https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629 - Exploit, Patch, Third Party Advisory~~	() https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629 - Exploit, Patch, Third Party Advisory

Information

Published : 2022-09-21 12:15

Updated : 2024-11-21 07:01

NVD link : CVE-2022-2888

Mitre link : CVE-2022-2888

CVE.ORG link : CVE-2022-2888

JSON object : View

Products Affected

octoprint

octoprint

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2022-2888", "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}]}, "published": "2022-09-21T12:15:09.923", "references": [{"url": "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", "tags": ["Patch", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}, {"url": "https://github.com/octoprint/octoprint/commit/40e6217ac1a85cc5ed592873ae49db01d3005da4", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://huntr.dev/bounties/d27d232b-2578-4b32-b3b4-74aabdadf629", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists."}, {"lang": "es", "value": "Si un atacante entra en posesi\u00f3n de la cookie de sesi\u00f3n de OctoPrint de una v\u00edctima mediante cualquier medio, el atacante puede usar esta cookie para autenticarse mientras la cuenta de la v\u00edctima exista"}], "lastModified": "2024-11-21T07:01:52.543", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "900F81F7-9FC4-44CE-ABD6-1E82DC120B4B", "versionEndExcluding": "1.8.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}