Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of the application features token based authentication. When a user attempts to login to the application, they insert their email and a 6 digit code is sent to their email address to complete the authentication. A token that consists of 6 digits only presents weak entropy however and when coupled with no token brute force protection, makes it possible for an unauthenticated attacker with knowledge of a valid email address to successfully brute force the token within 15 minutes (token expiration time) and take over the account associated with the targeted email address. All users on the Rallly applications are impacted. As long as an attacker knows the user's email address they used to register on the app, they can systematically take over any user account. For the authentication mechanism to be safe, the token would need to be assigned a complex high entropy value that cannot be bruteforced within reasonable time, and ideally rate limiting the /api/auth/callback/email endpoint to further make brute force attempts unreasonable within the 15 minutes time. As of time of publication, no patched versions are available.
During login, the user provides an email address and the application sends a 6-digit verification code valid for 15 minutes to that address. The token consisting solely of digits (range 000000–999999, totaling 1,000,000 combinations) is characterized by very low entropy (CWE-331). The /api/auth/callback/email endpoint implements no rate limiting or other brute force protection, enabling systematic checking of all possible token values within less than 15 minutes. The attacker only needs knowledge of the victim's correct email address registered in the application.
An attacker can fully take over any Rallly user account — gaining unauthorized access to their data, schedules, and shared resources (violation of confidentiality, integrity, and availability). All users of the application whose registration email address is known are at risk.
At the time of the security advisory publication, no patched versions were available. Monitor the vendor's repository (GitHub: lukevella/rallly) and apply the patch immediately upon release. Until a fix is released, consider temporarily restricting access to the /api/auth/callback/email endpoint (e.g., via external firewall or reverse proxy with rate limiting) and monitor logs for anomalously high numbers of authentication requests.
Rallly (open-source application) versions up to and including 3.22.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRallly
APPRallly≤ 3.11.2
Related vulnerabilities
IDOR w Rallly — nieautoryzowane finalizowanie ankiet innych użytkowników
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure ...
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object ...
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in t...
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization ...