Improper Access Control in snipe/snipe-it

Valid

Reported on

Dec 9th 2021


Description

Regular users with DENY set to all models permissions can still view model information via the /models/{id}/clone endpoint due to no authorize('view') permission being set.

Proof of Concept

1: Create regular user and set DENY to all permissions in asset models.
2: Login as the user
3: Access asset model ID 1 via http://[SNIPE-URL]/models/1/clone

Impact

This vulnerability is capable of users without view asset model permissions can still view asset models via clone endpoint

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 2 months ago
haxatron submitted a
2 months ago
haxatron
2 months ago

Researcher


Fix: https://github.com/Haxatron/snipe-it/commit/918e7c8dae4d41935f534901a582ea8488bbf603

haxatron modified their report
2 months ago
haxatron
2 months ago

Researcher


On 2nd thought, I think it would be better to use authorize('create') rather than authorize('view')

Improved fix here: https://github.com/Haxatron/snipe-it/commit/1699c09758e56f740437674a8d6ba36443399f24

snipe validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
2 months ago

Maintainer


Thanks for this - can you create a PR against master or dev? I’ll happily take it.

haxatron
2 months ago

Researcher


Sure thing! - https://github.com/snipe/snipe-it/pull/10406

snipe
2 months ago

Maintainer


Awesome, thanks so much! <3

snipe confirmed that a fix has been merged on 1699c0 2 months ago
haxatron has been awarded the fix bounty