CVE-2024-24771
📋 TL;DR
Open Forms versions before 2.2.9/2.3.7/2.4.5/2.5.2 contain a multi-factor authentication weakness where superuser credentials could potentially bypass MFA if an attacker could authenticate. This could allow viewing sensitive submission data or impersonating staff accounts. The maintainers believe exploitation was not possible due to misconfigured endpoints.
💻 Affected Systems
- Open Forms
📦 What is this software?
Open Forms by Maykinmedia
Open Forms by Maykinmedia
Open Forms by Maykinmedia
Open Forms by Maykinmedia
⚠️ Risk & Real-World Impact
Worst Case
Compromised superuser credentials lead to full account takeover, allowing attackers to view sensitive submission data, impersonate staff accounts, and modify data.
Likely Case
Minimal impact since the maintainers state the vulnerable API endpoint was misconfigured and unusable, making exploitation improbable.
If Mitigated
With proper MFA and credential protection, risk is negligible as the vulnerability requires both credential compromise and a functional bypass method.
🎯 Exploit Status
Exploitation requires compromised superuser credentials and a functional authentication method to the vulnerable endpoint, which maintainers state was not possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.9, 2.3.7, 2.4.5, or 2.5.2
Vendor Advisory: https://github.com/open-formulieren/open-forms/security/advisories/GHSA-64r3-x3gf-vp63
Restart Required: Yes
Instructions:
1. Upgrade to patched version (2.2.9, 2.3.7, 2.4.5, or 2.5.2). 2. Ensure settings.DEBUG = False in production. 3. Restart application services.
🔧 Temporary Workarounds
Disable DEBUG mode
allEnsure settings.DEBUG = False in production to disable vulnerable API endpoints.
Check Django settings for DEBUG = True and set to False
Restrict superuser access
allLimit superuser accounts and enforce strong password policies with MFA.
🧯 If You Can't Patch
- Enforce strong password policies and MFA for all superuser accounts
- Monitor authentication logs for suspicious superuser login attempts
🔍 How to Verify
Check if Vulnerable:
Check Open Forms version against affected versions. Verify if settings.DEBUG = True in production.Check Version:
Check Open Forms package version or application settingsVerify Fix Applied:
Confirm version is 2.2.9, 2.3.7, 2.4.5, or 2.5.2+. Verify settings.DEBUG = False.📡 Detection & Monitoring
Log Indicators:
- Unusual superuser authentication attempts
- Access to /api/v2/api-auth/login/ endpoint
Network Indicators:
- Requests to /api/v2/api-auth/login/ in production
SIEM Query:
source="openforms" AND (uri_path="/api/v2/api-auth/login/" OR user_role="superuser")🔗 References
- https://github.com/open-formulieren/open-forms/releases/tag/2.2.9
- https://github.com/open-formulieren/open-forms/releases/tag/2.3.7
- https://github.com/open-formulieren/open-forms/releases/tag/2.4.5
- https://github.com/open-formulieren/open-forms/releases/tag/2.5.2
- https://github.com/open-formulieren/open-forms/security/advisories/GHSA-64r3-x3gf-vp63
- https://github.com/open-formulieren/open-forms/releases/tag/2.2.9
- https://github.com/open-formulieren/open-forms/releases/tag/2.3.7
- https://github.com/open-formulieren/open-forms/releases/tag/2.4.5
- https://github.com/open-formulieren/open-forms/releases/tag/2.5.2
- https://github.com/open-formulieren/open-forms/security/advisories/GHSA-64r3-x3gf-vp63
