Executive Summary

This vulnerability affects Indico, an event management system that uses Flask-Multipass for authentication. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax, it is possible to bypass Indico's LaTeX sanitizer. This allows an attacker to use specially-crafted LaTeX snippets to read local files or execute code with the same privileges as the user running Indico on the server.

The vulnerability only applies if server-side LaTeX rendering is enabled (i.e., if the XELATEX_PATH setting is configured in indico.conf). If this setting is not enabled, the vulnerability does not apply.

To mitigate this vulnerability, it is recommended to update Indico to version 3.3.12 or later, enable the containerized LaTeX renderer to isolate LaTeX processing, or disable LaTeX functionality by removing or commenting out the XELATEX_PATH setting and restarting relevant services.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to read local files or execute arbitrary code on the server with the privileges of the Indico user. This can lead to unauthorized access to sensitive information, data leakage, or full compromise of the server hosting Indico.

If exploited, it could result in loss of confidentiality, integrity, and availability of the system and its data.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, it is recommended to update Indico to version 3.3.12 as soon as possible.

It is strongly recommended to enable the containerized LaTeX renderer using podman, which isolates the LaTeX rendering process from the rest of the system.

As a workaround, you can remove the XELATEX_PATH setting from the indico.conf file (or comment it out or set it to None) and then restart the indico-uwsgi and indico-celery services to disable LaTeX functionality.

Useful 0 Not Useful 0