Grokability Snipe-IT Insecure Permissions Vulnerability in Uploaded Files Controller Allowing Arbitrary Code Execution

An insecure permissions vulnerability has been identified in Grokability Snipe-IT versions prior to 8.4.1. This vulnerability allows remote attackers to execute arbitrary code by exploiting the UploadedFilesController component. The issue arises because the API incorrectly authorizes file upload requests, granting 'view' permissions instead of the necessary 'write' permissions. As a result, users with the ability to view certain assets can upload files through the API, potentially leading to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Snipe-IT is hosted.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/{object_type}/{id}/files' endpoint. Replace '{object_type}' and '{id}' with the appropriate values for the asset or consumable being targeted. The request will be authorized with 'view' permissions, allowing the upload of files without proper authorization. Once the file is uploaded, the application will execute the uploaded code, leading to arbitrary code execution on the server.

Remediation

Users can upgrade to Snipe-IT version 8.4.1 or later, where this vulnerability has been patched.