CVE-2024-11716
Published: 02 January 2025
Description
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.
Security Summary
CVE-2024-11716 is a logic implementation flaw in CTFd, an open-source platform for hosting Capture The Flag (CTF) competitions. The vulnerability affects releases from 3.7.0 up to and including 3.7.4. Normally, user assignment to a team (bracket) should occur only once during registration, but the defect allows an authenticated user to reset their bracket and join a different team even while a competition is ongoing.
An authenticated user, such as a registered competition participant, can exploit this issue to switch teams mid-competition. Successful exploitation enables the user to abandon their original team and join another, potentially disrupting competition integrity by allowing score transfers, collusion, or other manipulations tied to team standings.
The vulnerability was addressed in CTFd 3.7.5 via pull request 2636 on GitHub. Mitigation involves upgrading to version 3.7.5 or later. Further details on the fix and disclosure are provided in the CTFd blog at https://blog.ctfd.io/ctfd-3-7-5/, CERT.PL advisory at https://cert.pl/en/posts/2025/01/CVE-2024-11716, and Full Disclosure mailing list at https://seclists.org/fulldisclosure/2024/Dec/21.
Details
- CWE(s)