GHSA-67cx-rhhq-mfhq – indico

Package

Manager: pip
Name: indico
Vulnerable Version: >=0 <2.1.10 || >=2.2.0 <2.2.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

High severity vulnerability that affects indico ## Local file disclosure through LaTeX injection ### Impact An external audit of the Indico codebase has discovered a vulnerability in Indico's LaTeX sanitization code, which could have malicious users to run unsafe LaTeX commands on the server. Such commands allowed for example to read local files (e.g. `indico.conf`). As far as we know it is not possible to write files or execute code using this vulnerability. ### Patches You need to update to [Indico 2.2.3](https://github.com/indico/indico/releases/tag/v2.2.3) as soon as possible. We also released [Indico 2.1.10](https://github.com/indico/indico/releases/tag/v2.1.10) in case you cannot update to 2.2 for some reason. See https://docs.getindico.io/en/stable/installation/upgrade/ for instructions on how to update. ### Workarounds Setting `XELATEX_PATH = None` in `indico.conf` will result in an error when building a PDF, but without being able to run xelatex, the vulnerability cannot be abused. ### For more information If you have any questions or comments about this advisory: * Open a thread in [our forum](https://talk.getindico.io/) * Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)

Metadata

Created: 2019-10-11T18:28:07Z
Modified: 2021-09-01T22:40:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-67cx-rhhq-mfhq/GHSA-67cx-rhhq-mfhq.json
CWE IDs: ["CWE-77"]
Alternative ID: N/A
Finding: F422
Auto approve: 1