Snipe-IT Improper Authorization Vulnerability in User Management API Endpoint Allowing Unauthorized Account Modifications

A vulnerability exists in Snipe-IT version 8.4.0, specifically within the user management API endpoint `PUT /api/v1/users/{id}`. This improper authorization flaw allows authenticated attackers with the `users.edit` permission to alter sensitive authentication and account-state fields of other non-admin users. The vulnerability can be exploited by sending a crafted PUT request, enabling attackers to reset passwords or deactivate user accounts, thereby facilitating unauthorized account access or denial-of-service conditions.

Impact

Exploitation of this vulnerability allows for unauthorized password resets and account deactivations of non-admin users, with potential escalation to more privileged accounts.

Reproduction

To reproduce this vulnerability, an authenticated user with the `users.edit` permission must send a PUT request to the `api/v1/users/{id}` endpoint, targeting a non-admin user. The request must include modifications to sensitive fields such as `password` or `activated`. Once the request is processed, the targeted user's password will be reset or their account deactivated, depending on the field modified.

Remediation

To address this vulnerability, Snipe-IT can implement several measures: restrict self-editing of authentication fields to require users to only change their own passwords, verify current passwords when non-admin users attempt to reset their own passwords, consider separating permissions for general user editing and editing authentication fields, apply rate limits to the user update API to deter bulk attacks, and log all password changes and account deactivations with details about the actor and target, alerting on any unusual activity.