Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2024-11716 and CVE-2024-11717) found in CTFd software.
Analysis Summary
This summary details two vulnerabilities reported in CTFd software by CERT Polska.
# Vulnerability: CTFd Team Reassignment & Token Reuse Flaws
## CVE Details
- **CVE ID:** CVE-2024-11716
- **CVSS Score:** Not explicitly provided; Severity assumed Medium/High based on description.
- **CWE:** CWE-837 (Improper Enforcement of a Single, Unique Action)
- **CVE ID:** CVE-2024-11717
- **CVSS Score:** Not explicitly provided; Severity assumed Medium/High based on description.
- **CWE:** CWE-837 (Improper Enforcement of a Single, Unique Action)
## Affected Systems
- **Products:** CTFd
- **Versions:**
- CVE-2024-11716: 3.7.0 through 3.7.4
- CVE-2024-11717: All versions through 3.7.4
- **Configurations:** Standard installation of affected versions.
## Vulnerability Description
### CVE-2024-11716 (Team Reassignment Logic Flaw)
A flaw in the logic implementation allows an authenticated user to reset their assigned competition team (bracket) and subsequently join a different team, even while a competition is actively running. This violates the intended logic that team assignment should only occur once during registration.
### CVE-2024-11717 (Reusable Account Tokens)
Tokens used for account activation and password resetting can be reused. These tokens are sent to the server as GET parameters and are not invalidated after a single use (before their expiration time). An on-path attacker could reuse an intercepted token to perform an account takeover by changing the user's password. Furthermore, these tokens embed base64 encoded user email information.
## Exploitation
- **Status:** PoC available (Implied via researcher disclosure, but not explicitly stated as public PoC for exploitation).
- **Complexity:** Low (Requires authentication for CVE-2024-11716; Network eavesdropping/MiTM for potential token capture in CVE-2024-11717).
- **Attack Vector:**
- CVE-2024-11716: Local (Requires authenticated user interaction).
- CVE-2024-11717: Network (If tokens leak via insecure channels or are intercepted).
## Impact
- **Confidentiality:** High (CVE-2024-11717 potentially reveals user email via token inspection/reuse).
- **Integrity:** High (CVE-2024-11716 allows unauthorized change of team affiliation during competition; CVE-2024-11717 allows complete account takeover).
- **Availability:** Low (No direct denial of service described).
## Remediation
### Patches
Both vulnerabilities were addressed in the following release:
- **CTFd version 3.7.5** (Includes fixes from PR #2636 and PR #2679).
### Workarounds
No specific workarounds were detailed in the provided context, but immediate mitigation involves upgrading past version 3.7.4.
## Detection
- **Indicators of Compromise:**
- Unexpected observation of users switching teams mid-competition (CVE-2024-11716).
- Evidence of password reset or account activation attempts using seemingly valid, but expired or previously used, tokens (CVE-2024-11717).
- **Detection methods and tools:** System auditing to monitor API calls related to team reassignment endpoints and monitoring token validity checks server-side.
## References
- Researcher technical details published: hxxps://seclists.org/fulldisclosure/2024/Dec/21
- Coordinated Vulnerability Disclosure process: hxxps://cert.pl/en/cvd/