Log Message:
py-octoprint: updated to 1.10.3

1.10.3

Changes

Security fixes

Severity Moderate (5.5): OctoPrint versions up until and including 1.10.2 are \ 
vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, \ 
as this is not configured to enforce automatic escaping. This affects, among \ 
other places, the login dialog and the standalone application key confirmation \ 
dialog.

An attacker who successfully talked a victim into clicking on or through a \ 
malicious third party app successfully redirected a victim to a specially \ 
crafted link could use this to retrieve or modify sensitive configuration \ 
settings, interrupt prints or otherwise interact with the OctoPrint instance in \ 
a malicious way.

The above mentioned specific vulnerabilities of the login dialog and the \ 
standalone application key confirmation dialog have been fixed in 1.10.3 by \ 
individual escaping of the detected locations. A global change throughout all of \ 
OctoPrint's templating system with the upcoming 1.11.0 release will handle this \ 
further, switching to globally enforced automatic escaping and thus reducing the \ 
attack surface in general.

The latter will also improve the security of third party plugins. During a \ 
transition period, third party plugins will be able to opt into the automatic \ 
escaping. With OctoPrint 1.13.0, automatic escaping will be switched over to be \ 
enforced even for third party plugins, unless they explicitly opt-out.

See also the GitHub Security Advisory and CVE-2024-49377.

Severity Moderate (5.3): OctoPrint versions up until and including 1.10.2 \ 
contain a vulnerability that allows an attacker that has gained temporary \ 
control over an authenticated victim's OctoPrint browser session to \ 
retrieve/recreate/delete the user's or - if the victim has admin permissions - \ 
the global API key without having to reauthenticate by re-entering the user \ 
account's password.

An attacker could use a stolen API key to access OctoPrint through its API, or \ 
disrupt workflows depending on the API key they deleted.

See also the GitHub Security Advisory and CVE-2024-51493.

Minor Security fixes

Core,: Use secrets lib to generate Flask secret key, API keys and user session IDs.

Discovery Plugin: Removed version number from discovery.xml of SSDP discovery. \ 
Combats information leakage.

GCODE Viewer Plugin: Limited access to skip_until check API to available \ 
GCODE_VIEWER and FILES_DOWNLOAD permissions. Combats information leakage.

Bug fixes

Core

Fixed a typo where the config setting server.reverseProxy.trustedUpstream was \ 
used instead of server.reverseProxy.trustedDownstream. Also made the SockJS \ 
trusted proxy check align with that of Flask & Tornado.
Fixed file list cache being created before all extension tree providing plugins \ 
have had a chance to act.

Plugin Manager

Fixed dequeuing of plugin installs.