CVE-2024-50633
Published: 16 January 2025
Summary
CVE-2024-50633 is a uncategorised-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Cern Indico. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1087.001); ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and resources in the /api/principals endpoint, directly preventing BOLA exploitation by unauthenticated attackers reading user account details.
Implements protections for public access to system resources, mitigating PR:N exploitation of the network-accessible API endpoint that exposes user information without proper restrictions.
Ensures least privilege by restricting user access to only necessary information, reducing the scope of exposure in the intentionally permissive /api/principals functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
BOLA vulnerability allows authenticated attackers to access sensitive information of arbitrary user accounts by manipulating the 'User:ID' parameter in POST requests to /api/principals, enabling local account discovery.
NVD Description
A Broken Object Level Authorization (BOLA) vulnerability in Indico through 3.3.5 allows attackers to read information by sending a crafted POST request to the component /api/principals. NOTE: this is disputed by the Supplier because the product intentionally lets all users…
more
retrieve certain information about other user accounts (this functionality is, in the current design, not restricted to any privileged roles such as event organizer).
Deeper analysisAI
CVE-2024-50633 is a Broken Object Level Authorization (BOLA) vulnerability, mapped to CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor), affecting Indico versions through 3.3.5. The issue resides in the /api/principals component, where attackers can send a crafted POST request to read information about user accounts.
Any network-accessible attacker with no privileges (PR:N) can exploit this by crafting and submitting the POST request to the vulnerable endpoint, potentially retrieving details about other users. However, the CVSS v3.1 base score is 0.0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N), indicating no measurable impact on confidentiality, integrity, or availability. The vulnerability is disputed by the supplier, who states that the product intentionally allows all users to retrieve certain information about other user accounts, with no restrictions to privileged roles like event organizers.
Advisories are limited to GitHub repositories at https://github.com/cetinpy/CVE-2024-50633 and https://github.com/cetinpy/CVE-2024-50633/issues/1, which document the finding but provide no specific patch, workaround, or mitigation details beyond the ongoing dispute. Published on 2025-01-16, no real-world exploitation has been reported.
Details
- CWE(s)