CVE-2024-5685 in snipe-it
Summary
by MITRE • 06/14/2024
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/18/2024
This vulnerability exists within the Snipe-IT asset management system where users possessing specific permission levels can manipulate group memberships through API calls without proper authorization controls. The affected versions span from v4.6.17 through v6.4.1, indicating a prolonged period during which this security flaw was present in the software. The vulnerability stems from insufficient access control validation during group membership modification operations, allowing authenticated users to perform privilege escalation or de-escalation actions against themselves or other users within the system.
The technical flaw manifests as a lack of proper authorization checks when processing API requests related to user group membership changes. Users with "User:edit" and "Self:api" permissions can exploit this weakness to modify their own group memberships or those of other users, effectively bypassing the intended permission model. This represents a critical authorization bypass vulnerability that falls under CWE-285, which addresses improper authorization in software systems. The vulnerability allows for privilege escalation by enabling users to gain higher privileges or for privilege de-escalation by reducing other users' access levels.
The operational impact of this vulnerability is severe as it enables attackers to manipulate user access rights within the system. An attacker with the minimum required permissions could potentially elevate their privileges to administrative levels or downgrade other users to restricted roles, compromising the integrity of the access control system. This vulnerability directly impacts the principle of least privilege and can lead to unauthorized access to sensitive data, system modifications, and potential lateral movement within the network. The issue affects the core authentication and authorization mechanisms of the Snipe-IT platform, undermining the trust model that organizations rely upon for asset management security.
Organizations using affected versions of Snipe-IT should immediately implement mitigations including upgrading to the latest stable version where this vulnerability has been addressed. Additionally, administrators should review and tighten permission assignments to limit the scope of users who possess "User:edit" and "Self:api" permissions. Network segmentation and monitoring of API calls related to user group modifications should be implemented to detect potential exploitation attempts. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through unauthorized access to system resources. Regular security audits and privilege reviews should be conducted to identify and remediate similar authorization flaws in the system.