Vulnerability DatabaseCVE-2024-5685

CVE-2024-5685:
PHP vulnerability analysis and mitigation

Overview

CVE-2024-5685 is a Missing Authorization vulnerability affecting Snipe-IT versions from v4.6.17 through v6.4.1. The vulnerability allows users with 'User:edit' and 'Self:api' permissions to promote or demote themselves or other users by performing changes to the group's memberships via API call (DevHub Checkmarx).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L. The vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a software program allows users to access privileged parts of the program without proper verification of user credentials (DevHub Checkmarx).

Impact

The vulnerability allows unauthorized elevation of privileges through API calls, potentially leading to unauthorized access to administrative functions. Users with specific permissions can manipulate group memberships, potentially escalating their own privileges or modifying other users' access levels (DevHub Checkmarx).

Mitigation and workarounds

The vulnerability has been fixed in Snipe-IT version 6.4.2. Users are recommended to upgrade to this version or later. The fix includes a refactoring of the group syncing functionality on the user edit API endpoint (GitHub Release).