Authorization Bypass Through User-Controlled Key The advisory has been revoked - it doesn't affect any version of package indico  (opens in a new tab)


Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Authorization Bypass Through User-Controlled Key vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-INDICO-8643016
  • published17 Jan 2025
  • disclosed16 Jan 2025
  • creditÇetin BİNİCİ

Introduced: 16 Jan 2025

CVE-2024-50633  (opens in a new tab)
CWE-639  (opens in a new tab)

Amendment

This was deemed not a vulnerability.

Overview

indico is a conference lifecycle management and meeting/lecture scheduling tool.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /api/principals endpoint, which allows users to expose other users' data via POST request containing arbitrary user ID values.

Update: The project maintainers, once made aware of the issue, clarified that it is the expected behavior of the endpoint to return responses for arbitrary user IDs, doesn't disclose sensitive information, and is therefore not a vulnerability.