CVE-2023-41047

OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.

OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.

OctoPrint is a web interface for 3D printers. OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted GCODE script that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. OctoPrint versions from 1.9.3 onward have been patched. Administrators of OctoPrint instances are advised to make sure they can trust all other administrators on their instance and to also not blindly configure arbitrary GCODE scripts found online or provided to them by third parties.

### Impact OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted [GCODE script](https://docs.octoprint.org/en/master/features/gcode_scripts.html) through the Settings that will allow code execution during rendering of that script. An attacker might use this to extract data managed by OctoPrint, or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. Please note that GCODE files uploaded to be printed are *not* affected! This vulnerability exclusively affects GCODE Scripts to be executed on connection to the printer, print pause, resume etc, as described [in the documentation](https://docs.octoprint.org/en/master/features/gcode_scripts.html), to be found under Settings > GCODE Scripts and configurable only by users with the `ADMIN` permission. ### Patches The vulnerability has been patched in version 1.9.3. ### Workarounds OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation and to not blindly configure arbitrary GCODE scripts found online or provided to them by third parties. ### Credits This vulnerability was discovered and responsibly disclosed to OctoPrint by tianxin Wu (Bearcat), Vulnerability Researcher at Numen Cyber Labs, Singapore.

OctoPrint es una interfaz web para impresoras 3D. Las versiones de OctoPrint hasta la 1.9.2 incluida contienen una vulnerabilidad que permite a administradores malintencionados configurar un script GCODE especialmente manipulado que permitirá la ejecución de código durante la representación de ese script. Un atacante podría usar esto para extraer datos administrados por OctoPrint o manipular datos administrados por OctoPrint, así como ejecutar comandos arbitrarios con los derechos del proceso OctoPrint en el sistema servidor. Se han parcheado las versiones de OctoPrint desde 1.9.3 en adelante. Se recomienda a los administradores de instancias de OctoPrint que se aseguren de que pueden confiar en todos los demás administradores de su instancia y que tampoco configuren ciegamente scripts GCODE arbitrarios que se encuentren en línea o que les proporcionen terceros.