MEDIUM

GHSA-hf68-g98v-wp9g

Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation

Details

### Impact The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new user with full admin privileges.

The `users.create permission` may commonly be delegated to HR staff, department leads, or similar roles.

### Patches Patched in [aea3877718](https://github.com/grokability/snipe-it/commit/aea3877718158cc2a10c2dde4597b1f439f5f6cb)

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / snipe/snipe-it

Introduced in: 0 Fixed in: 8.6.0

Fix composer require snipe/snipe-it:^8.6.0

References

https://github.com/grokability/snipe-it/security/advisories/GHSA-hf68-g98v-wp9g [WEB]
https://github.com/grokability/snipe-it/commit/aea3877718158cc2a10c2dde4597b1f439f5f6cb [WEB]
https://github.com/grokability/snipe-it [PACKAGE]