Vulnerability Details : CVE-2022-31007
eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts.
Vulnerability category: Input validation
Products affected by CVE-2022-31007
- cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31007
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31007
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
1.2
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-31007
-
The product or the administrator places a user into an incorrect group.Assigned by: security-advisories@github.com (Secondary)
-
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-31007
-
https://github.com/elabftw/elabftw/security/advisories/GHSA-937c-m7p3-775v
Privilege escalation from administrator in eLabFTW · Advisory · elabftw/elabftw · GitHubThird Party Advisory
-
https://github.com/elabftw/elabftw/releases/tag/4.3.0
Release elabftw-4.3.0 · elabftw/elabftw · GitHubRelease Notes;Third Party Advisory
Jump to