CVE-2022-31007

CVE-2022-31007 is a medium-severity vulnerability in Elabftw with a CVSS 3.x base score of 4.9. Its EPSS exploit-prediction score of 26% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-842.

Key facts

Description

eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts.

Frequently asked questions

What is CVE-2022-31007?
eLabFTW is an electronic lab notebook manager for research teams. Prior to version 4.3.0, a vulnerability allows an authenticated user with an administrator role in a team to assign itself system administrator privileges within the application, or create a new system administrator account. The issue has been corrected in eLabFTW version 4.3.0. In the context of eLabFTW, an administrator is a user account with certain privileges to manage users and content in their assigned team/teams. A system administrator account can manage all accounts, teams and edit system-wide settings within the application. The impact is not deemed as high, as it requires the attacker to have access to an administrator account. Regular user accounts cannot exploit this to gain admin rights. A workaround for one if the issues is removing the ability of administrators to create accounts.
How severe is CVE-2022-31007?
CVE-2022-31007 has a CVSS 3.x base score of 4.9, rated medium severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
Is CVE-2022-31007 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 26% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2022-31007?
CVE-2022-31007 affects Elabftw. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-31007?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2022-31007 published?
CVE-2022-31007 was published on 2022-05-31 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Elabftw

All CVEs affecting Elabftw →

Other CWE-842 vulnerabilities

Browse all CWE-842 vulnerabilities →