CVE-2022-3173

MEDIUM4.3EPSS 0.18%

Snipe-IT vulnerable to Improper Authentication

Published: 9/18/2022Modified: 11/8/2023

Description

Snipe-IT prior to 6.0.10 is vulnerable to Improper Authentication. A user without the `View and Modify License Files` permission may access files uploaded to licenses as long as they have the `View` permission for licenses.

Affected packages (1)

Packagist/snipe/snipe-itfrom 0, < 6.0.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-3173
PATCHhttps://github.com/snipe/snipe-it
WEBhttps://github.com/snipe/snipe-it/commit/dcab1381e7ee0b7fd1df3a34750dbff4b79185b2
WEBhttps://huntr.dev/bounties/6d8ffcc6-c6e3-4385-8ead-bdbbbacf79e9