Improper Access Control in snipe/snipe-it

Valid

Reported on

Jan 6th 2022


Description

All bulk actions (bulk-edit / bulk-delete / form info) in asset models do not have access control checks

Proof of concept

1: Grant view to Asset Models

2: UI for bulk-edit and bulk-delete is still enabled, proceed.

3: You may bulk-delete / edit any asset model

Impact

This vulnerability is capable of viewing / editing / delete asset model information with DENY permissions,

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 23 days ago
haxatron modified their report
23 days ago
haxatron submitted a
23 days ago
haxatron
23 days ago

Researcher


We have contacted a member of the snipe/snipe-it team and are waiting to hear back 22 days ago
haxatron
20 days ago

Researcher


note that fix is on master branch, not fix-access-control branch, also updated permalinks to reflect where all 4 issues occur

We have sent a follow up to the snipe/snipe-it team. We will try again in 7 days. 19 days ago
snipe
18 days ago

Maintainer


You are a rock star <3 - can you PR this? It would be easier for me - if you can't, no worries, I'll sort it out.

haxatron
18 days ago

Researcher


Done - https://github.com/snipe/snipe-it/pull/10498

haxatron
17 days ago

Researcher


@maintainer, could you validate this? Thanks! :D

snipe validated this vulnerability 17 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
17 days ago

Maintainer


Done,, and thanks :) You can call me snipe ;)

haxatron
17 days ago

Researcher


No problem snipe, happy to contribute to the security of your project. Once a new release is available, or when you are comfortable, could you submit the fix for this as well? That would be great! :)

snipe confirmed that a fix has been merged on cf14a0 17 days ago
haxatron has been awarded the fix bounty