CVE-2021-4089

Name of the Vulnerable Software and Affected Versions snipe-it versions prior to 5.3.4

Description The issue is related to Improper Access Control. Regular users with DENY set to all models permissions can still view model information via the "/models/{id}/clone" endpoint due to no authorize('view') permission being set.

Recommendations For snipe-it versions prior to 5.3.4, update to version 5.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/models/{id}/clone" endpoint to minimize the risk of exploitation. Additionally, review and adjust the permissions for regular users to ensure they cannot view model information without proper authorization.