MEDIUM 6.3

GHSA-33g4-646g-qwmm

Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

Details

### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation.

### Patches Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / snipe/snipe-it

Introduced in: 0 Fixed in: 8.4.2

Fix composer require snipe/snipe-it:^8.4.2

References

https://github.com/grokability/snipe-it/security/advisories/GHSA-33g4-646g-qwmm [WEB]
https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18 [WEB]
https://github.com/grokability/snipe-it [PACKAGE]