Username can be enumerated by password reset endpoint in snipe/snipe-it

Valid

Reported on

Jun 19th 2022

Description

The error message on /password/reset/1 can indicate whether the username exists in the instance.

I believe this is a valid issue for the following reason:

  1. /password/reset after submitting the username on this page, the server always returns success no matter whether the username exist
  2. ForgotPasswordController.php In this file, you added a random sleep to prevent user enumeration.

Proof of Concept

Open /password/reset/1, for example, https://demo.snipeitapp.com/password/reset/1

you can see the different responses by using a different username, admin and not-existed-user

(make sure you enter a password that match the security rules)

For the admin user, the response is passwords.token. (which is missing lang translation I think)

As for the others, the response is 500 | SERVER ERROR.

In my self-hosted site, the response is No matching active user found with that email.

An attacker can write a script to detect what users are registered on this snipe-it instance.

Impact

Usernames of the snipe-it instance can be enumerated

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
Brady Wetherington gave praise a year ago
I've been able to replicate this, I'm just struggling with what wording we'd like to use for the CVE.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
snipe modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
snipe validated this vulnerability a year ago
imlonghao has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
snipe marked this as fixed in v6.0.5 with commit 218751 a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation