How severe is CVE-2024-32977?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.4 out of 10.

What type of vulnerability is CVE-2024-32977?

This is classified as CWE-290, which is a common weakness in software security.

CVE-2024-32977 - CRITICAL Severity | CVSS 9.4

Vulnerability Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

Related Vulnerabilities

CVE-2024-54450

CRITICAL

CVSS:9.4(Critical)

An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) IP address mention...

CWE-2902024

CVE-2025-25182

CRITICAL

CVSS:9.4(Critical)

Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authenti...

CWE-2902025

CVE-2022-31149

CRITICAL

CVSS:9.6(Critical)

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker f...

CWE-2902022

CVE-2024-12108

CRITICAL

CVSS:9.6(Critical)

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.

CWE-2902024

CVE-2024-23674

CRITICAL

CVSS:9.6(Critical)

The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for...

CWE-2902024

CVE-2017-14487

CRITICAL

CVSS:9.1(Critical)

The OhMiBod Remote app for Android and iOS allows remote attackers to impersonate users by sniffing network traffic for search responses from the OhMiBod API server and then editing the username, user...

CWE-2902017