4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
17.9%
There are two permissions not working correctly: The Licenses -> View and Modify License Files
& the Self -> Create API Keys
permission.
Files can be uploaded to licenses. There is a permission for users called View and Modify License Files
. However, this permission is ineffective. A user without this permission is still able to access files uploaded to licenses as long as they have the View
permission for licenses. Additionally, they can enumerate all uploaded files by simply incrementing the identifier for the file in the URL, since it is a simple counter.
Steps to reproduce:
1. Login as admin
2. Go to Licenses and create a new license with arbitrary values
3. Click on the License, go to File Uploads and Upload any 2-3 PoC files
4. Observe that the download links for the uploaded files are of the form `/licenses/<license_id>/showfile/<file_id>`. `file_id` increments for each additional file uploaded
5. Go to People and create a new user. Make sure to deny all permissions except for the `Licenses -> View` permission. In particular `View and Modify License Files` is denied, i.e. the user should not be able to view license files
6. Login as the newly created user, click on Licenses and click on the license created earlier. Note that a click on `File Uploads` does nothing
7. The URL should now be `/licenses/<license_id>`
8. Append `/showfile/3` to the URL and observe that the first uploaded file is downloaded
9. All files can be enumerated by incrementing the `file_id`
PoC Request from User with only Licenses -> View
Permission:
GET /licenses/1/showfile/3 HTTP/1.1
Host: 127.0.0.1:8000
Connection: close
Cookie: snipeit_session=bFxcGzG8fZAfZvPFivACCT7XN9GXdYRBhrvLgZuh
Content-Length: 2
A user can create API keys to authenticate to API endpoints. There is a permission called Create API keys
, however, even users without this permission are able to create API keys, thus rendering the permission ineffective.
Steps to reproduce:
1. Login as admin
2. Go to People and Create a new User. Make Sure to deny all permissions. In particular `Self -> Create API keys` is denied, i.e. the user should not be able to create API keys
3. Login as the newly created user
4. Take note of the cookie `snipeit_session` and the `csrf-token` in the HTML head which is set in the response to `/account/view-assets`
5. Make the request to create an API key and observe that an API key is returned
API Creation Request (replace the CSRF Token and session cookie accordingly):
POST /oauth/personal-access-tokens HTTP/1.1
Host: 127.0.0.1:8000
X-CSRF-TOKEN: wqLZMfHIXhA8WdsJLmghGHird8AWlDYb8SeEIAIp
Content-Type: application/json;charset=utf-8
Connection: close
Cookie: snipeit_session=CAwxBX0UfnzSh4GD2mIASL0Fp2eoUegXBxOWRN3d
Content-Length: 38
{"name":"asd","scopes":[],"errors":[]}
The created API key is valid although the user does not have the permission to create API keys.
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
17.9%