CVE-2024-25632

eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. The vulnerability does not affect system administrator status. Users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml_team_create and not allow administrators to import users into teams, unless strictly required.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-01 15:15

Updated : 2024-10-04 13:51

NVD link : CVE-2024-25632

Mitre link : CVE-2024-25632

CVE.ORG link : CVE-2024-25632

JSON object : View

Products Affected

No product.

CWE

CWE-266

Incorrect Privilege Assignment

CWE-842

Placement of User into Incorrect Group

{"id": "CVE-2024-25632", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2024-10-01T15:15:07.383", "references": [{"url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-842"}]}], "descriptions": [{"lang": "en", "value": "eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. The vulnerability does not affect system administrator status. Users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml_team_create and not allow administrators to import users into teams, unless strictly required."}, {"lang": "es", "value": "eLabFTW es un cuaderno de laboratorio electr\u00f3nico de c\u00f3digo abierto para laboratorios de investigaci\u00f3n. En el contexto de eLabFTW, un administrador es una cuenta de usuario con ciertos privilegios para administrar usuarios y contenido en su equipo o equipos asignados. Un usuario puede ser administrador en un equipo y usuario regular en otro. La vulnerabilidad permite que un usuario regular se convierta en administrador de un equipo del que es miembro, bajo una configuraci\u00f3n razonable. Adem\u00e1s, en versiones de eLabFTW posteriores a la v5.0.0, la vulnerabilidad puede permitir que un usuario inicialmente no autenticado obtenga privilegios administrativos sobre un equipo arbitrario. La vulnerabilidad no afecta el estado de administrador del sistema. Los usuarios deben actualizar a la versi\u00f3n 5.1.0. Se recomienda a los administradores del sistema que desactiven el registro de usuarios locales, saml_team_create y no permitan que los administradores importen usuarios a los equipos, a menos que sea estrictamente necesario."}], "lastModified": "2024-10-04T13:51:25.567", "sourceIdentifier": "security-advisories@github.com"}