VDB
EN
HIGH 8.8

GHSA-hq28-crg7-95pr

Snipe-IT has Privilege Escalation via API Permissions Assignment

상세

### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users.

### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1

### Workarounds None.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / snipe/snipe-it
최초 영향 버전: 0 수정 버전: 8.4.1
수정 composer require snipe/snipe-it:^8.4.1

참고