3.7

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2872

GHSA ID

GHSA-49wm-4fp6-h59c

EPSS Score

0.28394%

CWE

CWE-434

Published

9/22/2022

Updated

10/7/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2872

CVE-2022-2872: OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type

OctoPrint prior to version 1.8.3 is vulnerable to Unrestricted Upload of File with Dangerous Type. Due to misconfiguration in move file functionality, an attacker could easily change the file extension of an uploaded malicious file disguised as a .gcode file. Version 1.8.3 contains a patch.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-2872

CVE-2022-2872:

3.7

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2022-2872

GHSA ID

GHSA-49wm-4fp6-h59c

EPSS Score

0.28394%

CWE

CWE-434

Published

9/22/2022

Updated

10/7/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
OctoPrint	pip	< 1.8.3	1.8.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing file type validation in copy/move operations. The patch added octoprint.filemanager.valid_file_type checks to these functions. Pre-patch versions allowed renaming uploaded .gcode files to dangerous types (like .html) via these functions. The commit diff explicitly shows these validations were added to copy_file and move_file in storage.py, confirming they were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-2872: OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type

CVE-2022-2872:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

3.7

3.7

CVE-2022-2872: OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI