CVE-2021-43833
📋 TL;DR
This vulnerability allows any authenticated user in eLabFTW to gain access to arbitrary accounts by setting a specially crafted email address. It affects all eLabFTW instances prior to version 4.2.0 that haven't configured an email domain allowlist. Attackers need an existing account but can bypass authentication controls to compromise other user accounts.
💻 Affected Systems
- eLabFTW
📦 What is this software?
Elabftw by Elabftw
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of all user accounts including administrators, leading to data theft, data manipulation, and full system compromise.
Likely Case
Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive research data and lab information.
If Mitigated
No impact if email domain allowlist is properly configured or patched version is deployed.
🎯 Exploit Status
Exploit requires authenticated access but is simple to execute once an account is obtained. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0
Vendor Advisory: https://github.com/elabftw/elabftw/security/advisories/GHSA-v659-q2fh-v99w
Restart Required: Yes
Instructions:
1. Backup your eLabFTW database and files. 2. Download eLabFTW version 4.2.0 or later from GitHub releases. 3. Replace existing installation with new version. 4. Restart web server services. 5. Verify functionality.
🔧 Temporary Workarounds
Enable Email Domain Allowlist
allConfigure email domain restrictions to prevent crafted email addresses from being used for account takeover.
Navigate to Sysconfig panel > Security tab > Enable email domain allowlist
🧯 If You Can't Patch
- Immediately enable email domain allowlist in Sysconfig panel Security tab
- Implement strict access controls and monitor for unusual account modification activities
🔍 How to Verify
Check if Vulnerable:
Check eLabFTW version via web interface or configuration files. If version < 4.2.0 and no email domain allowlist configured, system is vulnerable.Check Version:
Check version.php file or web interface footer for version numberVerify Fix Applied:
Verify version is 4.2.0 or higher and confirm email domain allowlist is enabled in Sysconfig Security settings.📡 Detection & Monitoring
Log Indicators:
- Unusual email address modifications in user accounts
- Multiple failed login attempts followed by successful login from different IP
- Account access from unexpected locations
Network Indicators:
- HTTP POST requests to user profile modification endpoints with unusual email patterns
SIEM Query:
source="elabftw_logs" AND (event="user_update" AND email CONTAINS "@") OR (event="login" AND user_agent_changed=true)