{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25632", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-08T22:26:33.512Z", "datePublished": "2024-10-01T14:36:50.451Z", "dateUpdated": "2024-10-01T15:00:01.610Z"}, "containers": {"cna": {"title": "Unauthorised granting of administrator privileges over arbitrary teams under certain circumstances", "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "lang": "en", "description": "CWE-266: Incorrect Privilege Assignment", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-842", "lang": "en", "description": "CWE-842: Placement of User into Incorrect Group", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg"}], "affected": [{"vendor": "elabftw", "product": "elabftw", "versions": [{"version": ">= 4.6.0, < 5.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-01T14:36:50.451Z"}, "descriptions": [{"lang": "en", "value": "eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. The vulnerability does not affect system administrator status. Users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml_team_create and not allow administrators to import users into teams, unless strictly required."}], "source": {"advisory": "GHSA-6m7p-gh9f-5mgg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-01T14:59:53.524677Z", "id": "CVE-2024-25632", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T15:00:01.610Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25632", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-01T14:59:53.524677Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-01T14:59:57.676Z"}}], "cna": {"title": "Unauthorised granting of administrator privileges over arbitrary teams under certain circumstances", "source": {"advisory": "GHSA-6m7p-gh9f-5mgg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "elabftw", "product": "elabftw", "versions": [{"status": "affected", "version": ">= 4.6.0, < 5.1.0"}]}], "references": [{"url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg", "name": "https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. The vulnerability does not affect system administrator status. Users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml_team_create and not allow administrators to import users into teams, unless strictly required."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-842", "description": "CWE-842: Placement of User into Incorrect Group"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-01T14:36:50.451Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25632", "state": "PUBLISHED", "dateUpdated": "2024-10-01T15:00:01.610Z", "dateReserved": "2024-02-08T22:26:33.512Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-01T14:36:50.451Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A user may be an administrator in one team and a regular user in another. The vulnerability allows a regular user to become administrator of a team where they are a member, under a reasonable configuration. Additionally, in eLabFTW versions subsequent to v5.0.0, the vulnerability may allow an initially unauthenticated user to gain administrative privileges over an arbitrary team. The vulnerability does not affect system administrator status. Users should upgrade to version 5.1.0. System administrators are advised to turn off local user registration, saml_team_create and not allow administrators to import users into teams, unless strictly required."}, {"lang": "es", "value": "eLabFTW es un cuaderno de laboratorio electr\u00f3nico de c\u00f3digo abierto para laboratorios de investigaci\u00f3n. En el contexto de eLabFTW, un administrador es una cuenta de usuario con ciertos privilegios para administrar usuarios y contenido en su equipo o equipos asignados. Un usuario puede ser administrador en un equipo y usuario regular en otro. La vulnerabilidad permite que un usuario regular se convierta en administrador de un equipo del que es miembro, bajo una configuraci\u00f3n razonable. Adem\u00e1s, en versiones de eLabFTW posteriores a la v5.0.0, la vulnerabilidad puede permitir que un usuario inicialmente no autenticado obtenga privilegios administrativos sobre un equipo arbitrario. La vulnerabilidad no afecta el estado de administrador del sistema. Los usuarios deben actualizar a la versi\u00f3n 5.1.0. Se recomienda a los administradores del sistema que desactiven el registro de usuarios locales, saml_team_create y no permitan que los administradores importen usuarios a los equipos, a menos que sea estrictamente necesario."}], "id": "CVE-2024-25632", "lastModified": "2024-10-04T13:51:25.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-01T15:15:07.383", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-6m7p-gh9f-5mgg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-842"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}