GHSA-67CX-RHHQ-MFHQ
Vulnerability from github – Published: 2019-10-11 18:28 – Updated: 2021-09-01 22:40Local file disclosure through LaTeX injection
Impact
An external audit of the Indico codebase has discovered a vulnerability in Indico's LaTeX sanitization code, which could have malicious users to run unsafe LaTeX commands on the server. Such commands allowed for example to read local files (e.g. indico.conf).
As far as we know it is not possible to write files or execute code using this vulnerability.
Patches
You need to update to Indico 2.2.3 as soon as possible. We also released Indico 2.1.10 in case you cannot update to 2.2 for some reason. See https://docs.getindico.io/en/stable/installation/upgrade/ for instructions on how to update.
Workarounds
Setting XELATEX_PATH = None in indico.conf will result in an error when building a PDF, but without being able to run xelatex, the vulnerability cannot be abused.
For more information
If you have any questions or comments about this advisory: * Open a thread in our forum * Email us privately at indico-team@cern.ch
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "indico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "indico"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:18:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Local file disclosure through LaTeX injection\n\n### Impact\nAn external audit of the Indico codebase has discovered a vulnerability in Indico\u0027s LaTeX sanitization code, which could have malicious users to run unsafe LaTeX commands on the server. Such commands allowed for example to read local files (e.g. `indico.conf`).\n\nAs far as we know it is not possible to write files or execute code using this vulnerability.\n\n### Patches\nYou need to update to [Indico 2.2.3](https://github.com/indico/indico/releases/tag/v2.2.3) as soon as possible.\nWe also released [Indico 2.1.10](https://github.com/indico/indico/releases/tag/v2.1.10) in case you cannot update to 2.2 for some reason.\nSee https://docs.getindico.io/en/stable/installation/upgrade/ for instructions on how to update.\n\n### Workarounds\nSetting `XELATEX_PATH = None` in `indico.conf` will result in an error when building a PDF, but without being able to run xelatex, the vulnerability cannot be abused.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a thread in [our forum](https://talk.getindico.io/)\n* Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)\n\n",
"id": "GHSA-67cx-rhhq-mfhq",
"modified": "2021-09-01T22:40:23Z",
"published": "2019-10-11T18:28:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/indico/indico/security/advisories/GHSA-67cx-rhhq-mfhq"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-67cx-rhhq-mfhq"
},
{
"type": "PACKAGE",
"url": "https://github.com/indico/indico"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "High severity vulnerability that affects indico"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.