VDB
KO
HIGH 8.8

GHSA-hq28-crg7-95pr

Snipe-IT has Privilege Escalation via API Permissions Assignment

Details

### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users.

### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1

### Workarounds None.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / snipe/snipe-it
Introduced in: 0 Fixed in: 8.4.1
Fix composer require snipe/snipe-it:^8.4.1

References