CVE-2024-50633: Indico Insecure Access
N/A
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.80183%
CWE
Published
1/16/2025
Updated
1/21/2025
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| indico | pip | >= 3.2.9, < 3.3.3 | 3.3.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on the /api/principals endpoint, which processes POST requests containing user-controlled identifiers (e.g., 'User:2301'). The provided exploit example and developer comments confirm this endpoint returns user data without enforcing object-level authorization. The function responsible for processing these requests (likely named _process in a Principals request handler) fails to validate whether the requester has permission to access the specified user IDs. This matches CWE-639 (user-controlled key) and CWE-862 (missing authorization). The developer's dispute acknowledges the endpoint's existence but argues it's intentional, further confirming the function's behavior.