Skip to content

High severity vulnerability that affects indico

High severity GitHub Reviewed Published Oct 9, 2019 in indico/indico • Updated Jan 9, 2023

Package

pip indico (pip)

Affected versions

< 2.1.10
>= 2.2.0, < 2.2.3

Patched versions

2.1.10
2.2.3

Description

Local file disclosure through LaTeX injection

Impact

An external audit of the Indico codebase has discovered a vulnerability in Indico's LaTeX sanitization code, which could have malicious users to run unsafe LaTeX commands on the server. Such commands allowed for example to read local files (e.g. indico.conf).

As far as we know it is not possible to write files or execute code using this vulnerability.

Patches

You need to update to Indico 2.2.3 as soon as possible.
We also released Indico 2.1.10 in case you cannot update to 2.2 for some reason.
See https://docs.getindico.io/en/stable/installation/upgrade/ for instructions on how to update.

Workarounds

Setting XELATEX_PATH = None in indico.conf will result in an error when building a PDF, but without being able to run xelatex, the vulnerability cannot be abused.

For more information

If you have any questions or comments about this advisory:

References

@ThiefMaster ThiefMaster published to indico/indico Oct 9, 2019
Published to the GitHub Advisory Database Oct 11, 2019
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-67cx-rhhq-mfhq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.