CVE-2022-2822 — OctoPrint does not have rate limiting on the login page

Description

OctoPrint 1.7.3 and prior does not have rate limiting on the login page, making it possible for attackers to attempt brute force attacks. The severity of this issue is limited by OctoPrint normally running in a restricted LAN. The `devel` and `maintenance` branches of the repository have a fix that limits the rate of failed login attempts.

How to fix CVE-2022-2822

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-2822 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.7.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-2822
PATCHgithub.com/octoprint/octoprint
WEBgithub.com/octoprint/octoprint/commit/82c892ba40b3741d1b7711d949e56af64f5bc2de
WEBhuntr.dev/bounties/6369f355-e6ef-4469-af75-0f6ff00cde3d