Miggo Logo

CVE-2022-2822: OctoPrint does not have rate limiting on the login page

3.7

CVSS Score
3.1

Basic Information

EPSS Score
0.2933%
Published
8/16/2022
Updated
9/1/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
OctoPrintpip<= 1.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the absence of rate limiting on the POST /login endpoint. The fix commit adds a Flask-Limiter decorator (@limiter.limit) to this specific route, which was previously missing. The login handler function itself (def login()) remained otherwise unchanged, indicating the vulnerability was specifically about missing access control wrappers rather than flawed logic within the function. Supporting changes in templates and static files only implement error message differentiation between credential errors and rate limiting errors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*toPrint *.*.* *n* prior *o*s not **v* r*t* limitin* on t** lo*in p***, m*kin* it possi*l* *or *tt**k*rs to *tt*mpt *rut* *or** *tt**ks. T** s*v*rity o* t*is issu* is limit** *y O*toPrint norm*lly runnin* in * r*stri*t** L*N. T** `**v*l` *n* `m*int*

Reasoning

T** vuln*r**ility st*ms *rom t** **s*n** o* r*t* limitin* on t** POST /lo*in *n*point. T** *ix *ommit ***s * `*l*sk-Limit*r` ***or*tor (@limit*r.limit) to t*is sp**i*i* rout*, w*i** w*s pr*viously missin*. T** lo*in **n*l*r *un*tion its*l* (`*** lo*i