Skip to content

Blind Server-Side Request Forgery (SSRF) in eLabFTW

Low
NicolasCARPi published GHSA-mh6g-62p8-26m4 Jun 21, 2021

Package

elabftw (php)

Affected versions

<4.0.0

Patched versions

4.0.0

Description

Impact

This vulnerability allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request.

Patches

Issue has been patched in eLabFTW 4.0.0.

Workarounds

You can apply this commit if you cannot upgrade: 3d2db4d

References

This issue has been found and responsibly disclosed through proper channels by Rafal Lykowski (@mgrRaf) and Piyush Patil (@xoffense).

More information on the vulnerability can be found in this presentation: https://docs.google.com/presentation/d/1vMbvg05euZdq1wDxtR04EvC6iBiyIbcFeRAHWr1McdA/htmlpresent

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-32698

Weaknesses

Credits