Lucene search

CheckmarxCVELIST:CVE-2024-5685

HistoryJun 14, 2024 - 9:54 a.m.

CVE-2024-5685 Broken Function Level Authorization (BFLA) in snipe/snipe-it

2024-06-1409:54:41

CWE-862

Checkmarx

www.cve.org

cve-2024-5685

broken function level authorization

snipe/snipe-it

user:edit

self:api

permissions

unauthorized

group changes

api call

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

15.6%

JSON

Users with “User:edit” and “Self:api” permissions can promote or demote themselves or other users by performing changes to the group’s memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "snipe-it",
    "repo": "https://github.com/snipe/snipe-it",
    "vendor": "snipe",
    "versions": [
      {
        "lessThanOrEqual": "v6.4.1",
        "status": "affected",
        "version": "v4.6.17",
        "versionType": "custom"
      }
    ]
  }
]

References

advisory.checkmarx.net/?search=CVE-2024-5685

devhub.checkmarx.com/cve-details/CVE-2024-5685/

github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201cc1

github.com/snipe/snipe-it/pull/14745

github.com/snipe/snipe-it/releases/tag/v6.4.2

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

15.6%

JSON

Related for CVELIST:CVE-2024-5685