CVE-2024-50633

What the vulnerability is

CVE-2024-50633 describes a Broken Object Level Authorization (BOLA) issue in the Indico event management platform (through version 3.3.5). The vulnerability resides in the /api/principals endpoint, which accepts a crafted POST request containing a JSON payload with a user identifier (e.g., {"values": ["User:2301"]}). By changing the user ID in the request, an attacker can retrieve information about other user accounts [1][4].

How it is exploited

Exploitation requires only that the attacker can register an account on the Indico instance and send a POST request to the /api/principals endpoint. The official repository and the discoverer's write-up both note that the endpoint was introduced in Indico v2.2 and remains accessible in v3.3.5 [3][4]. The attack does not require any prior privileges beyond having a valid session, and no administrator or organizer role is needed [1].

Impact

By enumerating user IDs, an attacker can extract personal information from other users' accounts, including names, email addresses, or other profile data exposed by the endpoint. The impact is a breach of confidentiality for user information, potentially enabling further targeted attacks [1][4].

Mitigation status

The Indico developers dispute the vulnerability classification, stating that the /api/principals endpoint is intentionally open to all authenticated users to allow searching for other users by name or email, which is a design feature, not a bug [3]. No official patch has been released as of the publication date. However, the developers have acknowledged that a future configuration option might restrict this endpoint to event organizers only [3]. Users wishing to limit exposure can apply network-level access controls or monitor logs for suspicious queries.