HIGH 8.8
GHSA-hq28-crg7-95pr
Snipe-IT has Privilege Escalation via API Permissions Assignment
상세
### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users.
### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1
### Workarounds None.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.