Vulnerability in eLabFTW Allows Un Authenticated Users to Gain Administrative Privileges
CVE-2024-25632

8.8HIGH

Key Information:

Vendor: Elabftw
Status: Elabftw
Vendor: CVE Published:; 1 October 2024

What is CVE-2024-25632?

A vulnerability in eLabFTW, an open-source electronic lab notebook, could allow a regular user to elevate their privileges to that of an administrator within a team they belong to, under certain configurations. Furthermore, for versions released after v5.0.0, there is a potential risk that an unauthorized user might gain administrative privileges over any arbitrary team without prior authentication. This poses serious security risks around user management within research labs utilizing eLabFTW. System administrators are encouraged to upgrade to the latest version, restrict local user registrations, disable features like saml_team_create, and closely control user imports to teams to enhance security measures.

Affected Version(s)

elabftw >= 4.6.0, < 5.1.0

References

https://github.com/elabftw/elabftw/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2024
Vulnerability Reserved
Feb 8, 2024

CVE-2024-25632 Data

JSON

Elabftw

What is CVE-2024-25632?

Affected Version(s)

References

CVSS V3.1

Timeline