PT-2024-37081 · Snipe-It · Snipe-It

Published

2024-06-14

Updated

2024-06-19

CVE-2024-5685

CVSS v4.0

8.6

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: snipe-it versions 4.6.17 through 6.4.1

Description: The issue allows users with User:edit and Self:api permissions to promote or demote themselves or other users by performing changes to the group's memberships via an API call.

Recommendations: For versions 4.6.17 through 6.4.1, consider restricting the User:edit and Self:api permissions to prevent unauthorized changes to group memberships until a patch is available. As a temporary workaround, consider disabling API calls that allow group membership changes to minimize the risk of exploitation.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2024-5685

GHSA-544R-FC65-V832

Affected Products

Snipe-It

PT-2024-37081 · Snipe-It · Snipe-It

CVE-2024-5685

Weakness Enumeration

Related Identifiers

Affected Products

References · 14