Grokability Snipe-IT Incorrect Authorization Vulnerability in Asset Management

An access control vulnerability has been identified in Grokability Snipe-IT versions prior to 8.1.0. The issue allows unauthorized users to access asset information from different departments, violating established access control policies. This vulnerability arises because the application fails to properly restrict access to the '/locations/{id}/printassigned' endpoint based on user permissions and department assignments.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive asset data across departments, allowing users to view inventory and asset assignments from unrelated business units.

Reproduction

To reproduce this vulnerability, log in as a user with low privileges who is assigned to a specific department or location. Then, navigate to the '/locations/{id}/printassigned' endpoint, replacing '{id}' with the ID of a location assigned to the user. After accessing the page, manually change the location ID in the URL to another department's ID. This will bypass the access controls and display assets assigned to the selected department, regardless of the user's actual assignments.

Remediation

Users are advised to upgrade to Grokability Snipe-IT version 8.1.0 or later, where this vulnerability has been fixed.