Improper Access Control in snipe/snipe-it

Valid

Reported on

Jan 9th 2022


Description

A user with no rights for API tokens can view the page where API tokens can be generated and can generate API tokens.

Proof of Concept

  • Create a user with no permission for anything (i.e. everything on deny).

  • Log in with this user to the web application.

  • Visit http://127.0.0.1:8000/account/api => The user can see and generate personal API tokens even the user has no rights for it.

Impact

The impact trends to be low as the user sees / generates his own API tokens. If the page would have some other serious errors, the attacker could from this point on doing more stuff.

Occurrences

There is no check that the user cannot view that site if no permission is given.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 2 years ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 2 years ago
snipe validated this vulnerability 2 years ago
kstarkloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
2 years ago

Maintainer


This is very low impact, since a user wth no permissions to do anything would create an API user with no permissions to do anything, since the API token inherits the permissions from the user who created it, but it's a valid bug. I'll have a fix out this week.

snipe
2 years ago

Maintainer


(Thank you for the report btw)

snipe marked this as fixed in 5.3.8 with commit 0e5ef5 2 years ago
snipe has been awarded the fix bounty
ProfileController.php#L116 has been validated
to join this conversation