Friday, October 22, 2021

CVE-2021-41171

Description

eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.

References to Advisories, Solutions, and Tools


References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected]
Resourcehttps://github.com/elabftw/elabftw/commit/8e92afeec4c3a68dc88333881b7e6307f425706bhttps://github.com/elabftw/elabftw/releases/tag/4.1.0https://github.com/elabftw/elabftw/security/advisories/GHSA-q67h-5pc3-g6jvhttps://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookieshttps://www.exploit-db.com/docs/50436
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore