MEDIUM 6.3

GHSA-33g4-646g-qwmm

Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

상세

### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation.

### Patches Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / snipe/snipe-it

최초 영향 버전: 0 수정 버전: 8.4.2

수정 composer require snipe/snipe-it:^8.4.2

참고

https://github.com/grokability/snipe-it/security/advisories/GHSA-33g4-646g-qwmm [WEB]
https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18 [WEB]
https://github.com/grokability/snipe-it [PACKAGE]