Snipe-IT User Permission Vulnerability Allowing Admin Lockout

A vulnerability exists in Snipe-IT versions prior to 8.6.0, allowing non-admin users with the 'users.edit' permission to lock admins out of the system. This is achieved by editing the 'activated' flag, which controls user login access, and the 'ldap_import' flag, which manages password reset requests. The issue has been patched in version 8.6.0.

Impact

Exploitation of this vulnerability locks out admin users by deactivating their accounts and manipulating settings related to password management.

Reproduction

To reproduce this vulnerability, a non-admin user with the 'users.edit' permission can access the bulk editing feature for user accounts. By selecting admin users and modifying the 'activated' flag to '0', it's possible to deactivate their accounts, preventing them from logging in. Additionally, the 'ldap_import' flag can be altered to disrupt password reset requests for these users.

Remediation

Users can update to Snipe-IT version 8.6.0 or later, where this vulnerability has been patched.