Improper Access Control in snipe/snipe-it

Valid

Reported on

Dec 9th 2021


Description

Regular users with DENY set to all models permissions can still view model information via the /models/{id}/clone endpoint due to no authorize('view') permission being set.

Proof of Concept

1: Create regular user and set DENY to all permissions in asset models.
2: Login as the user
3: Access asset model ID 1 via http://[SNIPE-URL]/models/1/clone

Impact

This vulnerability is capable of users without view asset model permissions can still view asset models via clone endpoint

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
haxatron submitted a
a year ago
haxatron
a year ago

Researcher


Fix: https://github.com/Haxatron/snipe-it/commit/918e7c8dae4d41935f534901a582ea8488bbf603

haxatron modified the report
a year ago
haxatron
a year ago

Researcher


On 2nd thought, I think it would be better to use authorize('create') rather than authorize('view')

Improved fix here: https://github.com/Haxatron/snipe-it/commit/1699c09758e56f740437674a8d6ba36443399f24

haxatron submitted a
a year ago
snipe validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
a year ago

Maintainer


Thanks for this - can you create a PR against master or dev? I’ll happily take it.

haxatron
a year ago

Researcher


Sure thing! - https://github.com/snipe/snipe-it/pull/10406

snipe
a year ago

Maintainer


Awesome, thanks so much! <3

snipe marked this as fixed in N/A with commit 1699c0 a year ago
haxatron has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation