CVE-2024-23637: 
Python vulnerability analysis and mitigation

OctoPrint versions up to and including 1.9.3 contain a vulnerability (CVE-2024-23637) that allows malicious administrators to change passwords of other admin accounts without requiring password verification. The vulnerability was discovered and disclosed by Timothy "TK" Ruppert, and has been patched in version 1.10.0rc1 (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 score of 4.2 (Moderate severity), with a vector string of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L. The attack requires local access and high privileges but is low in complexity and requires no user interaction. The vulnerability is related to CWE-620 and affects the access control settings in OctoPrint's web interface (GitHub Advisory).

An attacker who has compromised an admin account could exploit this vulnerability to change passwords of other administrator accounts without needing to verify the current password. This could potentially lead to legitimate administrators being locked out of their OctoPrint instance (GitHub Advisory).

The vulnerability has been patched in OctoPrint version 1.10.0rc1 by introducing a reauthentication requirement for critical operations, including password changes. The patch implements a 5-minute timeout for reauthentication, which is configurable via config.yaml. Until upgrading, administrators are strongly advised to thoroughly vet who has admin access to their installation (OctoPrint Release, GitHub Advisory).