Login Sign Up

CVE-2021-30185

7.5 HIGH
Authentication Bypass

📋 TL;DR

CVE-2021-30185 is a host header injection vulnerability in CERN Indico that allows attackers to manipulate password reset links. By supplying a malicious Host header, attackers can redirect password reset emails to domains they control, potentially leading to account takeover. This affects all Indico installations before version 2.3.4.

💻 Affected Systems

Products:
  • CERN Indico
Versions: All versions before 2.3.4
Operating Systems: All platforms running Indico
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Indico installations are vulnerable if using the built-in password reset functionality.

📦 What is this software?

Indico by Cern

View all CVEs affecting Indico →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of administrative users leading to full system compromise, data exfiltration, and privilege escalation across the Indico platform.

🟠

Likely Case

Targeted account takeover of specific users through crafted password reset links, potentially leading to unauthorized access to sensitive conference materials and user data.

🟢

If Mitigated

Limited impact with proper email verification and monitoring, though password reset functionality remains temporarily disabled for affected users.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and minimal technical skill, making this easily weaponizable in real attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.4

Vendor Advisory: https://github.com/indico/indico/releases/tag/v2.3.4

Restart Required: Yes

Instructions:

1. Backup your Indico installation and database. 2. Update to Indico 2.3.4 or later using pip: 'pip install indico>=2.3.4'. 3. Restart the Indico service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Password Reset

all

Temporarily disable the password reset functionality in Indico configuration

Edit indico.conf and set ENABLE_PASSWORD_RESET = False

Web Server Host Validation

linux

Configure your web server (nginx/apache) to validate Host headers

For nginx: add 'if ($host !~* ^(yourdomain.com|www.yourdomain.com)$ ) { return 444; }' to server block

🧯 If You Can't Patch

  • Implement strict web server configuration to validate and sanitize Host headers
  • Enable multi-factor authentication for all user accounts to reduce impact of password reset attacks

🔍 How to Verify

Check if Vulnerable:

Check Indico version: if version is less than 2.3.4, system is vulnerable

Check Version:

python -c "import indico; print(indico.__version__)"

Verify Fix Applied:

Verify Indico version is 2.3.4 or higher and test password reset functionality with various Host headers

📡 Detection & Monitoring

Log Indicators:

  • Unusual Host header values in HTTP logs
  • Multiple password reset requests from single IP
  • Password reset attempts with non-standard domains

Network Indicators:

  • HTTP requests with manipulated Host headers to password reset endpoints
  • Unusual outbound connections following password reset requests

SIEM Query:

source="indico_logs" AND (url="*/reset-password" OR url="*/forgot-password") AND host!="*yourdomain.com*"

📊 Metadata

CVE ID: CVE-2021-30185
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: April 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON