CVE-2022-2822: OctoPrint does not have rate limiting on the login page
3.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.2933%
CWE
Published
8/16/2022
Updated
9/1/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
OctoPrint | pip | <= 1.7.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the absence of rate limiting on the POST /login endpoint. The fix commit adds a Flask-Limiter
decorator (@limiter.limit) to this specific route, which was previously missing. The login handler function itself (def login()
) remained otherwise unchanged, indicating the vulnerability was specifically about missing access control wrappers rather than flawed logic within the function. Supporting changes in templates and static files only implement error message differentiation between credential errors and rate limiting errors.