CVE-2024-50633
Published: 16 January 2025
Summary
CVE-2024-50633 is a uncategorised-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Cern Indico. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1087.001); ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2024-50633 is a reported Broken Object Level Authorization (BOLA) issue affecting Indico versions through 3.3.5. The flaw resides in the /api/principals component and is triggered by crafted POST requests that can expose user account details. The finding is tracked under CWE-201 and carries a CVSS 3.1 score of 0.0.
Any remote attacker without authentication or privileges can submit the malicious POST to retrieve information about other user accounts. The vendor disputes the report, stating that the observed behavior matches the application's intentional design, which permits all users to access certain principal data without role-based restrictions such as event-organizer privileges.
Public references consist of a GitHub repository and associated issue that document the claim, yet no vendor advisory, patch, or mitigation guidance is referenced. The associated EPSS score remains flat at 0.0901 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0088
Vulnerability details
A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users…
more
retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
BOLA vulnerability allows authenticated attackers to access sensitive information of arbitrary user accounts by manipulating the 'User:ID' parameter in POST requests to /api/principals, enabling local account discovery.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to information and resources in the /api/principals endpoint, directly preventing BOLA exploitation by unauthenticated attackers reading user account details.
Implements protections for public access to system resources, mitigating PR:N exploitation of the network-accessible API endpoint that exposes user information without proper restrictions.
Ensures least privilege by restricting user access to only necessary information, reducing the scope of exposure in the intentionally permissive /api/principals functionality.