CVE-2024-45408 (GCVE-0-2024-45408)
Vulnerability from cvelistv5
Published
2024-10-01 14:53
Modified
2024-10-01 15:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If anonymous access is allowed (something disabled by default), this extends to anyone. Users are advised to upgrade to at least version 5.1.0. System administrators can disable anonymous access in the System configuration panel.
References
| ► | URL | Tags | |
|---|---|---|---|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "elabftw",
"vendor": "elabftw",
"versions": [
{
"lessThan": "5.1.0",
"status": "affected",
"version": "4.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T15:10:38.923193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T15:12:46.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "elabftw",
"vendor": "elabftw",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 5.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If anonymous access is allowed (something disabled by default), this extends to anyone. Users are advised to upgrade to at least version 5.1.0. System administrators can disable anonymous access in the System configuration panel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T14:53:48.085Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/elabftw/elabftw/security/advisories/GHSA-2c83-6j74-w8r5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/elabftw/elabftw/security/advisories/GHSA-2c83-6j74-w8r5"
}
],
"source": {
"advisory": "GHSA-2c83-6j74-w8r5",
"discovery": "UNKNOWN"
},
"title": "eLabFTW contains a direct and indirect information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45408",
"datePublished": "2024-10-01T14:53:48.085Z",
"dateReserved": "2024-08-28T20:21:32.804Z",
"dateUpdated": "2024-10-01T15:12:46.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45408\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-01T15:15:08.220\",\"lastModified\":\"2025-02-28T15:54:25.053\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If anonymous access is allowed (something disabled by default), this extends to anyone. Users are advised to upgrade to at least version 5.1.0. System administrators can disable anonymous access in the System configuration panel.\"},{\"lang\":\"es\",\"value\":\"eLabFTW es un cuaderno de laboratorio electr\u00f3nico de c\u00f3digo abierto para laboratorios de investigaci\u00f3n. Se ha detectado una comprobaci\u00f3n de permisos incorrecta que podr\u00eda permitir que un usuario autenticado acceda a varios tipos de informaci\u00f3n que de otro modo estar\u00eda restringida. Si se permite el acceso an\u00f3nimo (algo deshabilitado de forma predeterminada), esto se extiende a cualquier persona. Se recomienda a los usuarios que actualicen al menos a la versi\u00f3n 5.1.0. Los administradores de System pueden deshabilitar el acceso an\u00f3nimo en el panel de configuraci\u00f3n de System.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"5.1.0\",\"matchCriteriaId\":\"40516FAC-9495-4172-AA45-F449183541AC\"}]}]}],\"references\":[{\"url\":\"https://github.com/elabftw/elabftw/security/advisories/GHSA-2c83-6j74-w8r5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45408\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-01T15:10:38.923193Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*\"], \"vendor\": \"elabftw\", \"product\": \"elabftw\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.4.0\", \"lessThan\": \"5.1.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-01T15:12:38.838Z\"}}], \"cna\": {\"title\": \"eLabFTW contains a direct and indirect information disclosure\", \"source\": {\"advisory\": \"GHSA-2c83-6j74-w8r5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"elabftw\", \"product\": \"elabftw\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.4.0, \u003c 5.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/elabftw/elabftw/security/advisories/GHSA-2c83-6j74-w8r5\", \"name\": \"https://github.com/elabftw/elabftw/security/advisories/GHSA-2c83-6j74-w8r5\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"eLabFTW is an open source electronic lab notebook for research labs. An incorrect permission check has been found that could allow an authenticated user to access several kinds of otherwise restricted information. If anonymous access is allowed (something disabled by default), this extends to anyone. Users are advised to upgrade to at least version 5.1.0. System administrators can disable anonymous access in the System configuration panel.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-01T14:53:48.085Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45408\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-01T15:12:46.615Z\", \"dateReserved\": \"2024-08-28T20:21:32.804Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-10-01T14:53:48.085Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…