CVE-2023-41047

{"id": "CVE-2023-41047", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.6}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 0.7}]}, "published": "2023-10-09T16:15:10.480", "references": [{"url": "https://github.com/OctoPrint/OctoPrint/commit/d0072cff894509c77e243d6562245ad3079e17db", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.9.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-fwfg-vprh-97ph", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1336"}]}], "descriptions": [{"lang": "en", "value": "OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties."}, {"lang": "es", "value": "OctoPrint es una interfaz web para impresoras 3D. Las versiones de OctoPrint hasta la 1.9.2 incluida contienen una vulnerabilidad que permite a administradores malintencionados configurar un script GCODE especialmente manipulado que permitir\u00e1 la ejecuci\u00f3n de c\u00f3digo durante la representaci\u00f3n de ese script. Un atacante podr\u00eda usar esto para extraer datos administrados por OctoPrint o manipular datos administrados por OctoPrint, as\u00ed como ejecutar comandos arbitrarios con los derechos del proceso OctoPrint en el sistema servidor. Se han parcheado las versiones de OctoPrint desde 1.9.3 en adelante. Se recomienda a los administradores de instancias de OctoPrint que se aseguren de que pueden confiar en todos los dem\u00e1s administradores de su instancia y que tampoco configuren ciegamente scripts GCODE arbitrarios que se encuentren en l\u00ednea o que les proporcionen terceros."}], "lastModified": "2023-10-13T18:40:38.120", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octoprint:octoprint:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DDB94E4-F56F-4C7C-A828-B76E70051E66", "versionEndExcluding": "1.9.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}