{"id":"GHSA-x9rq-fjp5-qgm9","summary":"OctoPrint Incorrect Access Control","details":"The Logging subsystem in OctoPrint before 1.6.0 has incorrect access control because it attempts to manage files that are not `*.log` files.","aliases":["CVE-2021-32560","PYSEC-2021-29"],"modified":"2024-10-08T13:04:22.865772Z","published":"2022-05-24T19:02:06Z","database_specific":{"github_reviewed_at":"2024-04-22T22:50:31Z","nvd_published_at":"2021-05-11T14:15:00Z","severity":"HIGH","cwe_ids":["CWE-284"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32560"},{"type":"PACKAGE","url":"https://github.com/OctoPrint/OctoPrint"},{"type":"WEB","url":"https://github.com/OctoPrint/OctoPrint/releases/tag/1.6.0"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2021-29.yaml"},{"type":"WEB","url":"https://octoprint.org/blog/2021/04/27/new-release-1.6.0"},{"type":"WEB","url":"https://www.brzozowski.io"},{"type":"WEB","url":"https://www.brzozowski.io/web-applications/2021/05/11/the-insecure-story-of-octoprint.html"}],"affected":[{"package":{"name":"octoprint","ecosystem":"PyPI","purl":"pkg:pypi/octoprint"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.0"}]}],"versions":["1.3.11","1.3.12","1.3.12rc1","1.3.12rc3","1.4.0","1.4.0rc1","1.4.0rc2","1.4.0rc3","1.4.0rc4","1.4.0rc5","1.4.0rc6","1.4.1","1.4.1rc1","1.4.1rc2","1.4.1rc3","1.4.1rc4","1.4.2","1.5.0","1.5.0rc1","1.5.0rc2","1.5.0rc3","1.5.1","1.5.2","1.5.3","1.6.0rc1","1.6.0rc2","1.6.0rc3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x9rq-fjp5-qgm9/GHSA-x9rq-fjp5-qgm9.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}