CVE-2023-41047: 
Python vulnerability analysis and mitigation

OctoPrint, a web interface for 3D printers, versions up to and including 1.9.2 contained a vulnerability (CVE-2023-41047) that allowed malicious administrators to execute arbitrary code through specially crafted GCODE scripts. The vulnerability was discovered by tianxin Wu (Bearcat), a Vulnerability Researcher at Numen Cyber Labs, Singapore, and was patched in version 1.9.3 released on October 9, 2023 (GitHub Release, NVD).

The vulnerability stems from improper neutralization of special elements used in a template engine (CWE-1336). The issue allowed malicious administrators to configure specially crafted GCODE scripts that could be executed during the rendering process. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, high privileges required, and user interaction needed (GitHub Advisory).

An attacker exploiting this vulnerability could extract or manipulate data managed by OctoPrint, as well as execute arbitrary commands with the rights of the OctoPrint process on the server system. The vulnerability specifically affected GCODE Scripts executed on printer connection, print pause, resume, and similar events, but did not affect GCODE files uploaded for printing (GitHub Advisory).

The vulnerability has been patched in OctoPrint version 1.9.3. Users are advised to upgrade to this version or newer. As a workaround, administrators are strongly advised to thoroughly vet who has admin access to their installation and to avoid blindly configuring arbitrary GCODE scripts found online or provided by third parties (GitHub Release).