Miggo Logo

CVE-2022-2888: OctoPrint vulnerable to Insufficient Session Expiration.

4.4

CVSS Score
3.1

Basic Information

EPSS Score
0.07179%
Published
9/22/2022
Updated
10/8/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
OctoPrintpip< 1.8.31.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from 4 key issues: 1) Sessions were only invalidated after 24h creation time instead of 15m inactivity 2) No session freshness tracking 3) Remember-me cookies weren't tied to password hashes 4) No session signature validation. The commit introduced session touch tracking, password-hash-linked cookies, signature validation, and stricter cleanup - indicating these were the vulnerable areas. The functions handling session lifecycle management and cookie encoding/validation were directly modified to address these flaws.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I* *n *tt**k*r *om*s into t** poss*ssion o* * vi*tim's O*toPrint s*ssion *ooki* t*rou** w**t*v*r m**ns, t** *tt**k*r **n us* t*is *ooki* to *ut**nti**t* *s lon* *s t** vi*tim's ***ount *xists. T*is issu* is *ix** in v*rsion *.*.*.

Reasoning

T** vuln*r**ility st*mm** *rom * k*y issu*s: *) S*ssions w*r* only inv*li**t** **t*r *** *r**tion tim* inst*** o* **m in**tivity *) No s*ssion *r*s*n*ss tr**kin* *) R*m*m**r-m* *ooki*s w*r*n't ti** to p*sswor* **s**s *) No s*ssion si*n*tur* v*li**tio