CVE-2024-25632
📋 TL;DR
This vulnerability in eLabFTW allows regular users to escalate privileges to administrator within teams where they are members. In versions after v5.0.0, it may also allow unauthenticated users to gain administrative privileges over arbitrary teams. This affects all eLabFTW instances with vulnerable configurations.
💻 Affected Systems
- eLabFTW
📦 What is this software?
Elabftw by Elabftw
⚠️ Risk & Real-World Impact
Worst Case
An unauthenticated attacker gains administrative control over any team, allowing them to modify user permissions, delete/alter research data, and potentially access sensitive information across the entire instance.
Likely Case
Regular users within teams escalate to administrator privileges, enabling unauthorized management of team members and content within their assigned teams.
If Mitigated
With proper controls (disabled user registration, restricted imports), only authenticated team members could potentially escalate privileges within their existing teams.
🎯 Exploit Status
The advisory suggests exploitation is straightforward under reasonable configurations. Unauthenticated exploitation is possible in versions after v5.0.0.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.0
Vendor Advisory: https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg
Restart Required: Yes
Instructions:
1. Backup your eLabFTW instance and database. 2. Download eLabFTW version 5.1.0 or later. 3. Replace existing installation files with new version. 4. Run database update scripts if required. 5. Restart web server services.
🔧 Temporary Workarounds
Disable user registration and imports
allTurn off local user registration, disable saml_team_create, and prevent administrators from importing users into teams
Configure in eLabFTW admin panel or configuration files
🧯 If You Can't Patch
- Disable local user registration completely
- Restrict administrator permissions to import users into teams
🔍 How to Verify
Check if Vulnerable:
Check eLabFTW version via admin panel or by examining the software files. Versions below 5.1.0 are vulnerable.Check Version:
Check eLabFTW admin panel or examine src/defines.php for version constantVerify Fix Applied:
Confirm version is 5.1.0 or higher via admin panel or version file. Test user privilege escalation attempts should fail.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- User role changes from regular to admin
- Unauthorized access attempts to admin functions
Network Indicators:
- Unusual API calls to user permission endpoints
- Suspicious authentication patterns
SIEM Query:
Search for user role changes from 'user' to 'admin' within short timeframes, especially for users with existing team memberships