Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

ultimaker

Source -

ADPNVD

BOS Name -

N/A

CNA CVEs -

0

ADP CVEs -

1

CISA CVEs -

0

NVD CVEs -

3
Related CVEsRelated ProductsRelated AssignersReports
3Vulnerabilities found
CVE-2024-8374
Assigner-Checkmarx
ShareView Details
Assigner-Checkmarx
CVSS Score-7.8||HIGH
EPSS-0.15% / 36.73%
||
7 Day CHG~0.00%
Published-03 Sep, 2024 | 10:01
Updated-16 Sep, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Code Injection in Cura

UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerable to code injection via the 3MF format reader (/plugins/ThreeMFReader.py). The vulnerability arises from improper handling of the drop_to_buildplate property within 3MF files, which are ZIP archives containing the model data. When a 3MF file is loaded in Cura, the value of the drop_to_buildplate property is passed to the Python eval() function without proper sanitization, allowing an attacker to execute arbitrary code by crafting a malicious 3MF file. This vulnerability poses a significant risk as 3MF files are commonly shared via 3D model databases.

Action-Not Available
Vendor-ultimakerUltimakerultimaker
Product-ultimaker_curaCuracura
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2021-34086
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.21% / 43.85%
||
7 Day CHG~0.00%
Published-10 Jan, 2022 | 01:12
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests.

Action-Not Available
Vendor-ultimakern/a
Product-ultimaker_s5_firmwareultimaker_s3ultimaker_s5ultimaker_3_firmwareultimaker_s3_firmwareultimaker_3n/a
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-34087
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.1||HIGH
EPSS-0.38% / 58.54%
||
7 Day CHG~0.00%
Published-10 Jan, 2022 | 01:10
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver can be used for clickjacking. This includes the settings page.

Action-Not Available
Vendor-ultimakern/a
Product-ultimaker_s5_firmwareultimaker_s3ultimaker_s5ultimaker_3_firmwareultimaker_s3_firmwareultimaker_3n/a
CWE ID-CWE-1021
Improper Restriction of Rendered UI Layers or Frames