Improper Access Control in snipe/snipe-it

Valid

Reported on

Jan 9th 2022


Description

A user with no rights for API tokens can view the page where API tokens can be generated and can generate API tokens.

Proof of Concept

  • Create a user with no permission for anything (i.e. everything on deny).

  • Log in with this user to the web application.

  • Visit http://127.0.0.1:8000/account/api => The user can see and generate personal API tokens even the user has no rights for it.

Impact

The impact trends to be low as the user sees / generates his own API tokens. If the page would have some other serious errors, the attacker could from this point on doing more stuff.

Occurences

There is no check that the user cannot view that site if no permission is given.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 8 days ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 7 days ago
snipe validated this vulnerability 7 days ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
7 days ago

Maintainer


This is very low impact, since a user wth no permissions to do anything would create an API user with no permissions to do anything, since the API token inherits the permissions from the user who created it, but it's a valid bug. I'll have a fix out this week.

snipe
7 days ago

Maintainer


(Thank you for the report btw)

snipe confirmed that a fix has been merged on 0e5ef5 4 days ago
snipe has been awarded the fix bounty
ProfileController.php#L116 has been validated