Improper Authentication in snipe/snipe-it
Description
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-3173 is an improper authentication vulnerability in Snipe-IT prior to 6.0.10 allowing unauthorized access to license files.
Root
Cause
The vulnerability stems from missing authorization checks when viewing license files in Snipe-IT. In the LicensesController's show method, a call to $this->authorize('view', $license) was present but the licenses.files permission was not enforced, allowing any authenticated user to access license files without the required permissions. The fix, introduced in commit dcab1381, adds an additional authorization check for licenses.files [3].
Exploitation
An attacker with network access to a vulnerable Snipe-IT instance (prior to version 6.0.10) can exploit this flaw by directly requesting license file endpoints. The bug allows a user who lacks the licenses.files permission to still view and potentially download license files. No special privileges beyond basic authentication are required, making it a low-complexity attack [2][4].
Impact
Successful exploitation enables an attacker to view sensitive license files, which may contain license keys, software entitlements, and other confidential information. This could lead to unauthorized use of licenses or exposure of organizational software assets. The vulnerability has a CVSS score indicating medium severity (likely around 5.3) [2].
Mitigation
The issue is patched in Snipe-IT version 6.0.10. Users are strongly advised to upgrade to this version or later. If upgrading is not immediately possible, administrators can restrict network access to the application and review user permissions as a workaround. The commit also demonstrates a code-level fix that can be manually applied [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snipe/snipe-itPackagist | < 6.0.10 | 6.0.10 |
Affected products
2- snipe/snipe/snipe-itv5Range: unspecified
Patches
1dcab1381e7eeCheck for licenses.files permissions
6 files changed · +25 −6
app/Http/Controllers/Licenses/LicenseFilesController.php+2 −1 modified@@ -135,6 +135,7 @@ public function show($licenseId = null, $fileId = null, $download = true) // the license is valid if (isset($license->id)) { $this->authorize('view', $license); + $this->authorize('licenses.files', $license); if (! $log = Actionlog::find($fileId)) { return response('No matching record for that asset/file', 500) @@ -171,6 +172,6 @@ public function show($licenseId = null, $fileId = null, $download = true) } } - return redirect()->route('license.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId])); + return redirect()->route('licenses.index')->with('error', trans('admin/licenses/message.does_not_exist', ['id' => $fileId])); } }
app/Policies/LicensePolicy.php+6 −2 modified@@ -42,8 +42,12 @@ public function viewKeys(User $user, License $license = null) * @param \App\Models\User $user * @return mixed */ - public function files(User $user) + public function viewFiles(User $user) { - return $user->hasAccess($this->columnName().'.files'); + if ($user->hasAccess('licenses.files')) { + return true; + } + return false; + } }
app/Policies/SnipePermissionsPolicy.php+5 −0 modified@@ -61,6 +61,11 @@ public function view(User $user, $item = null) return $user->hasAccess($this->columnName().'.view'); } + public function files(User $user, $item = null) + { + return $user->hasAccess($this->columnName().'.files'); + } + /** * Determine whether the user can create accessories. *
app/Providers/AuthServiceProvider.php+7 −0 modified@@ -122,6 +122,13 @@ public function boot() }); + Gate::define('licenses.files', function ($user) { + if ($user->hasAccess('licenses.files')) { + return true; + } + }); + + // ----------------------------------------- // Reports // -----------------------------------------
resources/lang/en/admin/licenses/message.php+1 −1 modified@@ -2,7 +2,7 @@ return array( - 'does_not_exist' => 'License does not exist.', + 'does_not_exist' => 'License does not exist or you do not have permission to view it.', 'user_does_not_exist' => 'User does not exist.', 'asset_does_not_exist' => 'The asset you are trying to associate with this license does not exist.', 'owner_doesnt_match_asset' => 'The asset you are trying to associate with this license is owned by somene other than the person selected in the assigned to dropdown.',
resources/views/licenses/view.blade.php+4 −2 modified@@ -36,7 +36,8 @@ </a> </li> - + + @can('licenses.files', $license) <li> <a href="#files" data-toggle="tab"> <span class="hidden-lg hidden-md"> @@ -46,6 +47,7 @@ </span> </a> </li> + @endcan <li> <a href="#history" data-toggle="tab"> @@ -416,7 +418,7 @@ class="table table-striped snipe-table" </div> <!--/.row--> </div> <!-- /.tab-pane --> - @can('files', $license) + @can('licenses.files', $license) <div class="tab-pane" id="files"> <div class="table-responsive"> <table
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-fhvv-p968-6vvjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3173ghsaADVISORY
- github.com/snipe/snipe-it/commit/dcab1381e7ee0b7fd1df3a34750dbff4b79185b2ghsax_refsource_MISCWEB
- huntr.dev/bounties/6d8ffcc6-c6e3-4385-8ead-bdbbbacf79e9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.