Considering that OctoPrint is used to run consumer grade 3d printers and hence usually runs in a restricted LAN, unless the user has actively decided to make it accessible through a port forward or any other such configuration against all of OctoPrint's recommendations an attack like this would require significant work by the attacker to even obtain access to the instance in the first place, after learning it even is available. I'm therefore arriving at a CVSS vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N here, which boils down to a score of 3.7 and thus Low severity.

To further elaborate my classification:

AV:N - network access indeed suffices AC:H - the attacker needs access to the network first, and knowledge of there being a target to exploit, as OctoPrint is usually not run on the public internet, not supposed to be run there, and frankly it doesn't even make sense to run it there either given that it needs physical connection to a 3d printer to even operate. The attacker also needs to brute force not only the password but also the username, and OctoPrint doesn't distinguish whether a failing attempt to login is due to a username or password mismatch. PR:N - indeed no privileges required UI:N - no user interaction required S:U - the only victim in case of a successful attack is OctoPrint C:L - the brute forced user account gets taken over, nothing else I:N - no side effects on the integrity of the system A:N - no side effects on the availability of the system

Even if we assume AC:L (which given the mode of operation of OctoPrint is a long stretch here) we arrive at a score of 5.3 (Medium).

I'm therefore downgrading the severity of this report.

I've also just noticed that the selected CWE wasn't the right one, CWE-307 Improper Restriction of Excessive Authentication Attempts is precisely what this is about from my understanding, so I've changed that as well.

Thank you so much for these valuable information. Also appreciate for assign CVE. Thanks.

You are welcome!

@admin I was sure I had provided a slightly more explanatory description when requesting the CVE assignment, but on the published CVE now I still only see the somewhat generic text that originates from the Impact here. Did I do something wrong or is there some underlying workflow issue here?

Hi Gina, apologies for this. It looks like a bug from our side. Ben from our team is looking into what happened here and we will keep you updated.

Hi Jamie, thank you, good to know it's apparently not my fault then 😅

Not at all!