MEDIUM 5.5

GHSA-52fw-7fw2-fmv5

Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

상세

### Impact A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc.

### Patches Patched in https://github.com/grokability/snipe-it/pull/19024

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / snipe/snipe-it

최초 영향 버전: 0 수정 버전: 8.6.0

수정 composer require snipe/snipe-it:^8.6.0

참고

https://github.com/grokability/snipe-it/security/advisories/GHSA-52fw-7fw2-fmv5 [WEB]
https://github.com/grokability/snipe-it/pull/19024 [WEB]
https://github.com/grokability/snipe-it [PACKAGE]