OctoPrint-SpoolManager Authentication Bypass Vulnerability in API
Vulnerability
A vulnerability exists in the OctoPrint-SpoolManager plugin for managing spools and their usage metadata. In the stable branch versions through 1.7.7 and the testing branch versions through 1.8.0a2, the plugin's APIs fail to properly enforce authentication and authorization. This oversight allows unauthenticated users to access and modify the SpoolManager database, including deleting all data through a reset. However, the impact is significantly mitigated for users running OctoPrint version 1.11.2 or newer, where the database can only be reset to empty without authentication.
Impact
Exploitation of this vulnerability allows for unauthorized access to the SpoolManager API, enabling an attacker to reset the plugin's settings, and on OctoPrint versions prior to 1.11.2, download, modify, or delete the plugin's database.
Remediation
Users are advised to update to OctoPrint-SpoolManager version 1.8.0a3 on the testing branch or 1.7.8 on the stable branch. For those on OctoPrint 1.11.2 or newer, the database can only be reset to empty without authentication, but it is still recommended to install the update.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.