-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is described as 'incorrect authorization for accessing asset information' in Snipe-IT versions before 8.1.0. The provided pull request #16672 and its associated commits directly address this by adding authorization checks (gates) to several methods within app/Http/Controllers/LocationsController.php.
Commit 41fb058adb92e003e06a95ee88268138eeb2e045 is key, as it introduces $this->authorize('view', Location::class); to the show, print_assigned, and print_all_assigned methods. The absence of these checks in versions prior to the patch meant that users could potentially access asset information linked to locations without having the necessary permissions. The functions show, print_assigned, and print_all_assigned are directly involved in displaying or providing data about assets associated with locations. Therefore, these functions, in their state before the patch, were vulnerable to the described incorrect authorization. The other changes in the commit (to postBulkDelete and postBulkDeleteStore) are also authorization additions, but the core of accessing asset information lies with the view/print functions.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| snipe/snipe-it | composer | < 8.1.0 | 8.1.0 |
PHPPHPOngoing coverage of React2Shell