Attackers Can Bypass eLabFTW's MFA in Prior Versions
CVE-2024-52586

7.8HIGH

Key Information:

Vendor: eLabFTW
Status: Elabftw
Vendor: CVE Published:; 9 December 2024

What is CVE-2024-52586?

A significant vulnerability has been identified in eLabFTW, an open source electronic lab notebook designed for research labs. This issue affects versions 4.6.0 through 5.1.0, allowing unauthorized users to bypass the essential multifactor authentication (MFA) protection, provided they can authenticate locally by guessing or knowing a user's password. This flaw does not interfere with MFA methods that are conducted through single sign-on services. Users are strongly encouraged to update to at least version 5.1.9, where this security vulnerability is fixed.

References

https://github.com/elabftw/elabftw/security/advisories/GH...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2024

CVE-2024-52586 Data

JSON