CVE-2024-34077 in MantisBT
Summary
by MITRE • 05/14/2024
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset process allows an attacker to reset another user's password and takeover their account, if the victim has an incomplete request pending. The exploit is only possible while the verification token is valid, i.e for 5 minutes after the confirmation URL sent by e-mail has been opened, and the user did not complete the process by updating their password. A brute-force attack calling account_update.php with increasing user IDs is possible. A successful takeover would grant the attacker full access to the compromised account, including sensitive information and functionalities associated with the account, the extent of which depends on its privileges and the data it has access to. Version 2.26.2 contains a patch for the issue. As a workaround, one may mitigate the risk by reducing the verification token's validity (change the value of the `TOKEN_EXPIRY_AUTHENTICATED` constant in `constants_inc.php`).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/17/2025
CVE-2024-34077 represents a critical access control vulnerability within MantisBT version 2.26.2 and earlier, where insufficient validation in the registration and password reset mechanisms enables unauthorized account takeover. This vulnerability stems from a design flaw that allows attackers to exploit incomplete user registration or password reset requests, specifically targeting users whose verification tokens remain active for five minutes after email confirmation links are opened. The flaw aligns with CWE-284 Access Control Issues, as it permits unauthorized access to user accounts through manipulation of authentication workflows. The vulnerability operates under the premise that users who initiate registration or password reset processes but fail to complete them within the token validity period create exploitable conditions for malicious actors.
The technical implementation of this attack involves a brute-force methodology targeting the account_update.php endpoint with sequentially incremented user IDs, allowing attackers to systematically identify valid user accounts with pending verification requests. This approach leverages the temporal window between token generation and user completion of the registration or password reset process, creating a window of opportunity for exploitation. The vulnerability demonstrates characteristics consistent with ATT&CK technique T1566 Credential Access through Social Engineering, as it exploits user interaction with email verification mechanisms to gain unauthorized access. When successfully exploited, the vulnerability provides attackers with complete account privileges, potentially exposing sensitive data, administrative functionalities, and system resources accessible to the compromised user account.
The operational impact of this vulnerability extends beyond simple credential theft, as it enables full account compromise with potential cascading effects throughout the issue tracking system. Attackers can access confidential project information, modify or delete issues, manipulate user permissions, and potentially escalate privileges within the system. The risk is particularly elevated in environments where users have elevated privileges or access to sensitive project data, as the compromise of a single account could provide access to critical organizational information. Organizations utilizing MantisBT must consider the broader implications of this vulnerability, including potential data breaches, unauthorized system modifications, and the compromise of audit trails that maintain system integrity. The patch for version 2.26.2 addresses the core issue by implementing proper access controls and token validation mechanisms, ensuring that only authorized users can complete registration or password reset processes. As a temporary mitigation, administrators can reduce the TOKEN_EXPIRY_AUTHENTICATED constant value in constants_inc.php to minimize the window of opportunity for exploitation, though this approach requires careful consideration of user experience implications while maintaining security effectiveness.