MEDIUM 5.5

GHSA-52fw-7fw2-fmv5

Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

Details

### Impact A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc.

### Patches Patched in https://github.com/grokability/snipe-it/pull/19024

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / snipe/snipe-it

Introduced in: 0 Fixed in: 8.6.0

Fix composer require snipe/snipe-it:^8.6.0

References

https://github.com/grokability/snipe-it/security/advisories/GHSA-52fw-7fw2-fmv5 [WEB]
https://github.com/grokability/snipe-it/pull/19024 [WEB]
https://github.com/grokability/snipe-it [PACKAGE]