QID 982749

QID 982749: Python (pip) Security Update for indico (GHSA-wgpj-7c2j-vfjm)

Security update has been released for indico to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

An external audit of the Indico codebase has discovered a vulnerability in Indico's URL generation logic which could have allowed an attacker to make Indico send a password reset link with a valid token pointing to an attacker-controlled domain by sending that domain in the `Host` header. Had a user clicked such a link without realizing it does not point to Indico (and that they never requested it), it would have revealed their password reset token to the attacker, allowing them to reset the password for that user and thus take over their Indico account.

- If the web server already enforces a canonical host name, this cannot be exploited (this was not part of the default config from the Indico setup guide)
- If only SSO is used ([`LOCAL_IDENTITIES`](https://docs.getindico.io/en/stable/config/settings/#LOCAL_IDENTITIES) set to `False`), the vulnerability cannot be exploited for password reset links, but other links in emails set by Indico could be tampered with in the same way (with less problematic impact though)

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as Medium - 5 severity.
    • Solution
    You need to update to [Indico 2.3.4](https://github.com/indico/indico/releases/tag/v2.3.4) as soon as possible.
    See [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.Workaround:
    You can configure the web server to canonicalize the URL to the hostname used for Indico. See [this commit](https://github.com/indico/indico/pull/4815/commits/b6bff6d004abcf07db1891e26a0eb4aa0edb7c21) for the changes in our setup docs; they can be easily applied to your existing web server config.
    Vendor References

    CVEs related to QID 982749

    CVE-2021-30185 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-wgpj-7c2j-vfjm indico URL Logo github.com/advisories/GHSA-wgpj-7c2j-vfjm
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].