CVE-2024-45300 – A race condition vulnerability in alf.io allows... (How to Fix)

Q: What is the severity of CVE-2024-45300?

CVE-2024-45300 has a CVSS score of 7.5 (HIGH). A race condition vulnerability in alf.io allows attackers to bypass promo code usage limits by exploiting timing gaps between validation and enforcement. This affects all alf.io deployments prior to version 2.0-M5, potentially allowing unauthorized discounts for event tickets.

📋 TL;DR

A race condition vulnerability in alf.io allows attackers to bypass promo code usage limits by exploiting timing gaps between validation and enforcement. This affects all alf.io deployments prior to version 2.0-M5, potentially allowing unauthorized discounts for event tickets.

💻 Affected Systems

Products:

alf.io

Versions: All versions prior to 2.0-M5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using promo codes with usage limits.

📦 What is this software?

Alf by Alf

View all CVEs affecting Alf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Event organizers suffer significant revenue loss through unlimited promo code abuse, potentially bankrupting small events or conferences.

🟠

Likely Case

Limited financial loss from opportunistic attackers exploiting promo codes for discounted tickets, impacting event profitability.

🟢

If Mitigated

Minimal impact with proper rate limiting and monitoring, though some abuse may still occur before detection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires user account to apply promo codes, but exploitation is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0-M5

Vendor Advisory: https://github.com/alfio-event/alf.io/security/advisories/GHSA-67jg-m6f3-473g

Restart Required: Yes

Instructions:

1. Backup your alf.io installation and database. 2. Update to version 2.0-M5 or later. 3. Restart the alf.io service. 4. Verify the fix by testing promo code limits.

🔧 Temporary Workarounds

Disable promo codes

all

Temporarily disable all promo code functionality until patching is possible

Implement external rate limiting

all

Use web application firewall or reverse proxy to limit promo code application requests per user

🧯 If You Can't Patch

Implement strict monitoring of promo code usage patterns and alert on anomalies
Manually review and audit all promo code applications for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check alf.io version via admin interface or by examining the application files for version markers

Check Version:

Check the application.properties or version file in the alf.io installation directory

Verify Fix Applied:

Test promo code limit enforcement by attempting to apply the same code multiple times rapidly

📡 Detection & Monitoring

Log Indicators:

Multiple successful promo code applications from same user in rapid succession
Promo code usage exceeding configured limits

Network Indicators:

Bursts of POST requests to promo code application endpoints

SIEM Query:

source="alf.io" AND (message="promo code applied" OR message="discount applied") | stats count by user_id, promo_code | where count > 1

📊 Metadata

CVE ID: CVE-2024-45300

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-362

Published: September 6, 2024

Last Updated: September 29, 2024

🔗 References

https://github.com/alfio-event/alf.io/commit/53b3309e26e8acec6860d1e045df3046153a3245 Patch
https://github.com/alfio-event/alf.io/security/advisories/GHSA-67jg-m6f3-473g Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45300, you might also want to check these: