Lucene search

Veracode Vulnerability DatabaseVERACODE:37119

HistorySep 19, 2022 - 5:18 a.m.

Improper Authentication

2022-09-1905:18:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.0%

JSON

snipe/snipe-it is vulnerable to improper authentication. A remote authenticated attacker is able to access unauthorized files through the viewKeys function as long as they have the View permission, which exposes confidential information required to create the API keys without the corresponding consent.

CPENameOperatorVersion
snipe/snipe-itlev6.0.10
snipe/snipe-itlev6.0.10

CPE	Name	Operator	Version
	snipe/snipe-it	le	v6.0.10
	snipe/snipe-it	le	v6.0.10

References

github.com/snipe/snipe-it/commit/dcab1381e7ee0b7fd1df3a34750dbff4b79185b2

github.com/snipe/snipe-it/pull/11842

huntr.dev/bounties/6d8ffcc6-c6e3-4385-8ead-bdbbbacf79e9

huntr.dev/bounties/6d8ffcc6-c6e3-4385-8ead-bdbbbacf79e9/

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.0%

JSON

Related for VERACODE:37119