SCA: security update for indico (GHSA-f47c-3c5w-v7p4)

medium Tenable Self-Hosted Container Security Plugin ID 437793

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for
Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing
requests to user-provides URLs in various places. This is mostly intentional and part of Indico's
functionality but is never intended to let users access "special" targets such as localhost or cloud
metadata endpoints. Users should upgrade to version 3.3.10 to receive a patch. Those who do not have IPs
that expose sensitive data without authentication (typically because they do not host Indico on AWS) are
not affected. Only event organizers can access endpoints where SSRF could be used to actually see the data
returned by such a request. For those who trust their event organizers, the risk is also very limited. For
additional security, both before and after patching, one may also use the common proxy-related environment
variables (in particular `http_proxy` and `https_proxy`) to force outgoing requests to go through a proxy
that limits requests in whatever way you deem useful/necessary. These environment variables would need to
be set both on the indico-uwsgi and indico-celery services. (CVE-2026-25738)

See Also

https://github.com/advisories/GHSA-f47c-3c5w-v7p4

Plugin Details

Severity: Medium

ID: 437793

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 2/18/2026

Updated: 6/16/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2026-25738

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/17/2026

Vulnerability Publication Date: 2/17/2026

Reference Information

CVE: CVE-2026-25738