CVE-2022-31007
Published: 31 May 2022
Summary
CVE-2022-31007 is a medium-severity Placement of User into Incorrect Group (CWE-842) vulnerability in Elabftw Elabftw. Its CVSS base score is 4.9 (Medium).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, the application contained a vulnerability that permitted an authenticated user holding an administrator role within a team to assign itself system administrator privileges or to create a new system administrator account. The flaw is tracked under CWE-842 and CWE-1287 and received a CVSS 3.1 score of 4.9.
An attacker must already possess a team-level administrator account; regular users cannot leverage the issue. Successful exploitation grants the ability to manage all accounts, teams, and system-wide settings across the application.
The project addressed the problem in release 4.3.0. Public advisories note that one contributing vector can be mitigated by removing the ability of team administrators to create new accounts.
EPSS scores for the CVE rose from a low baseline to a peak of 0.2459, indicating measurable exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52712
Vulnerability details
eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new…
more
system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.