CVE-2022-31007
CVE-2022-31007 is a medium-severity vulnerability in Elabftw with a CVSS 3.x base score of 4.9. Its EPSS exploit-prediction score of 26% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-842.
Key facts
- Severity: Medium (CVSS 3.x base score 4.9)
- CVSS v2: 6.5
- EPSS exploit prediction: 26% (98th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-842
- Affected product: Elabftw
- Published:
- Last modified:
Description
eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts.
Frequently asked questions
- What is CVE-2022-31007?
- eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts.
- How severe is CVE-2022-31007?
- CVE-2022-31007 has a CVSS 3.x base score of 4.9, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2022-31007 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 26% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-31007?
- CVE-2022-31007 affects Elabftw. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-31007?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-31007 published?
- CVE-2022-31007 was published on 2022-05-31 and last updated on 2026-06-17.
References
- https://github.com/elabftw/elabftw/releases/tag/4.3.0
- https://github.com/elabftw/elabftw/security/advisories/GHSA-937c-m7p3-775v
Affected products (1)
- cpe:2.3:a:elabftw:elabftw:*:*:*:*:*:*:*:*
More vulnerabilities in Elabftw
- CVE-2021-43834 — Critical (CVSS 9.1): eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability…
- CVE-2024-28100 — High (CVSS 8.9): eLabFTW is an open source electronic lab notebook for research labs. By uploading specially crafted files, a regular…
- CVE-2019-12185 — High (CVSS 8.8): eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may…
- CVE-2024-25632 — High (CVSS 8.6): eLabFTW is an open source electronic lab notebook for research labs. In the context of eLabFTW, an administrator is a…
- CVE-2025-25206 — High (CVSS 8.3): eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input…
- CVE-2021-43833 — High (CVSS 8.1): eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability…
Other CWE-842 vulnerabilities
- CVE-2024-9412 — High (CVSS 8.4): An improper authorization vulnerability exists in the Rockwell Automation affected products that could allow an…
- CVE-2022-3650 — High (CVSS 7.8): A privilege escalation flaw was found in Ceph. Ceph-crash.service allows a local attacker to escalate privileges to…
- CVE-2026-6970 — High (CVSS 7.3): authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege…
- CVE-2022-2990 — High (CVSS 7.1): An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive…
- CVE-2022-2989 — High (CVSS 7.1): An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive…
- CVE-2022-45097 — Medium (CVSS 6.3): Dell PowerScale OneFS 9.0.0.x-9.4.0.x contains an Incorrect User Management vulnerability. A low privileged network…