CVE-2024-11716
Published: 02 January 2025
Summary
CVE-2024-11716 is a medium-severity Improper Enforcement of a Single, Unique Action (CWE-837) vulnerability in Ctfd (inferred from references). Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CTFd, an open-source capture-the-flag platform, contains a logic flaw in its team (bracket) assignment mechanism that affects versions 3.7.0 through 3.7.4. Although bracket assignment is intended to occur only once during initial registration, the implementation permits an authenticated user to reset an existing bracket assignment and select a different one after a competition has begun.
An authenticated participant can therefore exploit the issue to switch teams mid-event, potentially gaining access to another team's progress, challenges, or scoring data. The vulnerability carries a CVSS 4.0 score of 5.3 and is tracked under CWE-837 for improper enforcement of behavioral workflow.
The flaw was corrected in release 3.7.5 by pull request 2636, as noted in the CTFd 3.7.5 announcement and related advisories from CERT.pl and Full Disclosure. Administrators are advised to upgrade to the patched version to restore the intended one-time assignment restriction.
EPSS scores have remained low, with a current value of 0.0513 and a peak of 0.0658, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34048
- 🇵🇱 CERT-PL: cert.pl
Vulnerability details
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another…
more
team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic flaw in public-facing CTFd web app allows authenticated users to manipulate team/group assignments mid-event.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for logical access, directly preventing the unauthorized reset and change of team assignment after registration due to the logic flaw.
SI-2 requires timely remediation of identified flaws, such as patching CTFd to version 3.7.5 or later to fix the team-switching vulnerability.
AC-2 manages account attributes including conditions for group and role membership, addressing team assignment restrictions to limit changes post-registration.