Miggo Logo
Miggo Vulnerability Database
CVE-2024-50633

CVE-2024-50633: Indico Insecure Access

N/A

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-50633
GHSA ID
GHSA-3wg7-r7q5-r2jf
EPSS Score
0.80183%
CWE
CWE-201
Published
1/16/2025
Updated
1/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
indicopip>= 3.2.9, < 3.3.33.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on the /api/principals endpoint, which processes POST requests containing user-controlled identifiers (e.g., 'User:2301'). The provided exploit example and developer comments confirm this endpoint returns user data without enforcing object-level authorization. The function responsible for processing these requests (likely named _process in a Principals request handler) fails to validate whether the requester has permission to access the specified user IDs. This matches CWE-639 (user-controlled key) and CWE-862 (missing authorization). The developer's dispute acknowledges the endpoint's existence but argues it's intentional, further confirming the function's behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *rok*n O*j**t L*v*l *ut*oriz*tion (*OL*) vuln*r**ility in In*i*o v*.*.* *llows *tt**k*rs to ****ss s*nsitiv* in*orm*tion vi* s*n*in* * *r**t** POST r*qu*st to t** *ompon*nt /*pi/prin*ip*ls.

Reasoning

T** vuln*r**ility **nt*rs on t** /*pi/prin*ip*ls *n*point, w*i** pro**ss*s POST r*qu*sts *ont*inin* us*r-*ontroll** i**nti*i*rs (*.*., 'Us*r:****'). T** provi*** *xploit *x*mpl* *n* **v*lop*r *omm*nts *on*irm t*is *n*point r*turns us*r **t* wit*out *