| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in OctoPrint. Affected by this issue is some unknown functionality of the component Session Cookie Handler. The manipulation results in session expiration. This vulnerability is reported as CVE-2022-2888. The attack can be launched remotely. No exploit exists. Applying a patch is advised to resolve this issue.
Details
A vulnerability classified as problematic has been found in OctoPrint (affected version not known). Affected is some unknown functionality of the component Session Cookie Handler. The manipulation with an unknown input leads to a session expiration vulnerability. CWE is classifying the issue as CWE-613. According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." This is going to have an impact on confidentiality. CVE summarizes:
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.
The weakness was disclosed 09/21/2022. The advisory is shared for download at huntr.dev. This vulnerability is traded as CVE-2022-2888 since 08/18/2022. There are neither technical details nor an exploit publicly available.
Applying the patch 40e6217ac1a85cc5ed592873ae49db01d3005da4 is able to eliminate this problem. The bugfix is ready for download at github.com.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Name
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.2VulDB Meta Temp Score: 4.1
VulDB Base Score: 3.7
VulDB Temp Score: 3.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 4.4
NVD Vector: 🔍
CNA Base Score: 4.4
CNA Vector (huntr.dev): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Session expirationCWE: CWE-613
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: 40e6217ac1a85cc5ed592873ae49db01d3005da4
Timeline
08/18/2022 🔍09/21/2022 🔍
09/21/2022 🔍
10/21/2022 🔍
Sources
Product: github.comAdvisory: 40e6217ac1a85cc5ed592873ae49db01d3005da4
Status: Confirmed
CVE: CVE-2022-2888 (🔍)
GCVE (CVE): GCVE-0-2022-2888
GCVE (VulDB): GCVE-100-209232
Entry
Created: 09/21/2022 19:30Updated: 10/21/2022 19:30
Changes: 09/21/2022 19:30 (48), 10/21/2022 19:22 (1), 10/21/2022 19:30 (11)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.