Miggo Logo
Miggo Vulnerability Database
CVE-2022-2872

CVE-2022-2872: OctoPrint vulnerable to Unrestricted Upload of File with Dangerous Type

3.7

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-2872
GHSA ID
GHSA-49wm-4fp6-h59c
EPSS Score
0.28394%
CWE
CWE-434
Published
9/22/2022
Updated
10/7/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
OctoPrintpip< 1.8.31.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing file type validation in copy/move operations. The patch added octoprint.filemanager.valid_file_type checks to these functions. Pre-patch versions allowed renaming uploaded .gcode files to dangerous types (like .html) via these functions. The commit diff explicitly shows these validations were added to copy_file and move_file in storage.py, confirming they were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*toPrint prior to v*rsion *.*.* is vuln*r**l* to Unr*stri*t** Uplo** o* *il* wit* **n**rous Typ*. *u* to mis*on*i*ur*tion in mov* *il* *un*tion*lity, *n *tt**k*r *oul* **sily ***n** t** *il* *xt*nsion o* *n uplo**** m*li*ious *il* *is*uis** *s * `.*

Reasoning

T** vuln*r**ility st*mm** *rom missin* *il* typ* v*li**tion in *opy/mov* op*r*tions. T** p*t** ***** o*toprint.*il*m*n***r.v*li*_*il*_typ* ****ks to t**s* *un*tions. Pr*-p*t** v*rsions *llow** r*n*min* uplo**** .**o** *il*s to **n**rous typ*s (lik* .