CVE-2022-31178

eLabFTW is an electronic lab notebook manager for research teams. A vulnerability was discovered which allows a logged in user to read a template without being authorized to do so. This vulnerability has been patched in 4.3.4. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/elabftw/elabftw/security/advisories/GHSA-63qq-hw97-8q7x	Third Party Advisory
https://github.com/elabftw/elabftw/security/advisories/GHSA-63qq-hw97-8q7x	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:04

Type	Values Removed	Values Added
References	~~() https://github.com/elabftw/elabftw/security/advisories/GHSA-63qq-hw97-8q7x - Third Party Advisory~~	() https://github.com/elabftw/elabftw/security/advisories/GHSA-63qq-hw97-8q7x - Third Party Advisory

Information

Published : 2022-08-01 19:15

Updated : 2024-11-21 07:04

NVD link : CVE-2022-31178

Mitre link : CVE-2022-31178

CVE.ORG link : CVE-2022-31178

JSON object : View

Products Affected

elabftw

elabftw

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2022-31178", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-08-01T19:15:08.453", "references": [{"url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-63qq-hw97-8q7x", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-63qq-hw97-8q7x", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "eLabFTW is an electronic lab notebook manager for research teams. A vulnerability was discovered which allows a logged in user to read a template without being authorized to do so. This vulnerability has been patched in 4.3.4. Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "eLabFTW es un gestor de cuadernos de laboratorio electr\u00f3nicos para equipos de investigaci\u00f3n. Se ha detectado una vulnerabilidad que permite a un usuario conectado leer una plantilla sin estar autorizado para ello. Esta vulnerabilidad ha sido parcheada en versi\u00f3n 4.3.4. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "lastModified": "2024-11-21T07:04:03.733", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FF3C390-C0DD-4AD8-8D2B-444BC3AD15B4", "versionEndExcluding": "4.3.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}