SB2021121547 - Multiple vulnerabilities in eLabFTW

Description

This security bulletin contains information about 2 vulnerabilities.

1) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2021-43833)

The vulnerability allows a remote user to gain access to arbitrary accounts.

The vulnerability exists due to authentication bypass using an alternate path or channel in the email address handling logic when setting a specially crafted email address. A remote user can set a specially crafted email address to gain access to arbitrary accounts.

The issue affects instances that have not set an explicit email domain name allowlist. The default configuration requires administrator validation of newly created accounts, and exploitation requires control of an account.

2) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2021-43834)

The vulnerability allows a remote attacker to authenticate as an existing user.

The vulnerability exists due to incorrect implementation of an authentication algorithm in the authentication mechanism when processing login attempts for accounts created with single sign-on authentication options. A remote attacker can submit crafted authentication data to authenticate as an existing user.

Only instances using LDAP or SAML authentication for affected accounts are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/elabftw/elabftw/security/advisories/GHSA-v659-q2fh-v99w
• https://github.com/advisories/GHSA-v659-q2fh-v99w
• https://github.com/elabftw/elabftw/security/advisories/GHSA-98rp-gx76-33ph
• https://github.com/advisories/GHSA-98rp-gx76-33ph