Vulnerability Details : CVE-2021-32698
eLabFTW is an open source electronic lab notebook for research labs. This vulnerability allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request. Issue has been patched in eLabFTW 4.0.0.
Vulnerability category: Server-side request forgery (SSRF)
Products affected by CVE-2021-32698
- cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-32698
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-32698
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
|
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
NIST | |
|
6.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
2.3
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2021-32698
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-32698
-
https://github.com/elabftw/elabftw/security/advisories/GHSA-mh6g-62p8-26m4
Blind Server-Side Request Forgery (SSRF) in eLabFTW · Advisory · elabftw/elabftw · GitHubPatch;Third Party Advisory
-
https://github.com/elabftw/elabftw/commit/3d2db4d3ad90b0915f29f05aeba41eaaf6a7c726
security: prevent blind ssrf in pdf generation · elabftw/elabftw@3d2db4d · GitHubPatch;Third Party Advisory
Jump to