Indico Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Indico, an event management system that utilizes Flask-Multipass for authentication. This vulnerability affects Indico versions prior to 3.3.10. The issue arises because Indico makes outgoing requests to user-provided URLs in various contexts, which can unintentionally allow access to sensitive targets such as localhost or cloud metadata endpoints. Only event organizers can exploit this vulnerability to access the returned data, and the risk is limited for those not hosting Indico on AWS.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data from private/internal/local IP addresses or cloud metadata endpoints, depending on the server's environment and configuration.

Remediation

Users should upgrade to Indico version 3.3.10 or later. For those who do not host Indico on AWS and do not have sensitive data exposed without authentication, the vulnerability can be ignored, but an upgrade is still recommended. After upgrading, consider using the 'http_proxy' and 'https_proxy' environment variables to route outgoing requests through a proxy that can manage request limitations as needed. These variables should be set for both the indico-uwsgi and indico-celery services.