Weak Password Change Mechanism in octoprint/octoprint

Valid

Reported on

Aug 20th 2022

Description

The user password change page, doesn't require knowledge of the existing password.

Proof of Concept

- Log in as a normal user
- Go to the User Dashboard page and click User Settings.
- Set a any new password.
- Click confirm
- The password is changed successfully.

Impact

An attacker that gains access to an active user session, can change the account password without previous knowledge of the current password.

We are processing your report and will contact the octoprint team within 24 hours. a year ago

We have contacted a member of the octoprint team and are waiting to hear back a year ago

Gina Häußge modified the Severity from High (7.6) to Medium (4.4) a year ago

Gina Häußge modified the Severity from Medium (4.4) to Medium (5.3) a year ago

Gina Häußge

commented a year ago

Maintainer

I arrive at CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L for this and thus 5.3 (Medium)

AV:L - "Log in as a normal user". So you need access to the victim's browser session in the first place, and thus this is local. AC:L - Once you have a login session, this is indeed low complexity PR:L - You need to be able to use the victim's browser in their name, with regular privileges of them UI:N - No further help from the user needed S:U - Only OctoPrint is affected C:L - Only the victim's account is affected I:L - Only the victim's account is affected A:L - Only the victim's account is affected

Ironically I already noticed this myself last week and fixed it on the development branch. So it'll be solved in 1.9.0 and actually 1.8.3 since I'll backport it to the next bugfix/security release.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Gina Häußge validated this vulnerability a year ago

0xbeven has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Gina Häußge marked this as fixed in 1.8.3 with commit 145307 a year ago

Gina Häußge has been awarded the fix bounty

This vulnerability will not receive a CVE

0xbeven

commented a year ago

Researcher

Thank you for this I will continue to test

to join this conversation

We are processing your report and will contact the octoprint team within 24 hours. a year ago

We have contacted a member of the octoprint team and are waiting to hear back a year ago

Gina Häußge modified the Severity from High (7.6) to Medium (4.4) a year ago

Gina Häußge modified the Severity from Medium (4.4) to Medium (5.3) a year ago

Gina Häußge

commented a year ago

Maintainer

I arrive at CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L for this and thus 5.3 (Medium)

Ironically I already noticed this myself last week and fixed it on the development branch. So it'll be solved in 1.9.0 and actually 1.8.3 since I'll backport it to the next bugfix/security release.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Gina Häußge validated this vulnerability a year ago

0xbeven has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Gina Häußge marked this as fixed in 1.8.3 with commit 145307 a year ago

Gina Häußge has been awarded the fix bounty

This vulnerability will not receive a CVE

0xbeven

commented a year ago

Researcher

Thank you for this I will continue to test

to join this conversation