Impact
The vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in the latest version of eLabFTW.
In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application.
The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights.
Patches
Users should upgrade to version 4.3.0.
Workarounds
One of the issues can be resolved by removing the ability of administrators to create accounts (see the Sysconfig panel, "Admins can create local accounts:").
Credit
The issue was discovered and responsibly disclosed by Anders Märak Leffler (@anargam).
References
For a more complete and precise discussion of user roles, see the eLabFTW documentation.
For more information
If you have any questions or comments about this advisory:
anargam Analyst
NicolasCARPi Analyst
Impact
The vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in the latest version of eLabFTW.
In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application.
The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights.
Patches
Users should upgrade to version 4.3.0.
Workarounds
One of the issues can be resolved by removing the ability of administrators to create accounts (see the Sysconfig panel, "Admins can create local accounts:").
Credit
The issue was discovered and responsibly disclosed by Anders Märak Leffler (@anargam).
References
For a more complete and precise discussion of user roles, see the eLabFTW documentation.
For more information
If you have any questions or comments about this advisory: