CVE-2022-44381

Overview

Snipe-IT through version 6.0.14 contains an improper access control vulnerability (CWE-284) that allows attackers to determine whether a user account exists by observing response variations during password reset requests [1]. The /password/reset endpoint returns different responses or behaves differently depending on whether the supplied email matches an existing user, enabling username enumeration without authentication [2].

Exploitation

An attacker can send HTTP requests to the password reset functionality with arbitrary email addresses. By analyzing the response (e.g., differing HTTP status codes, response size, or timing), they can infer which addresses correspond to registered user accounts. This attack requires no prior authentication and can be performed over the public network [1][2].

Impact

Successful exploitation allows an attacker to build a list of valid usernames in Snipe-IT. This information can be used to launch targeted attacks, such as credential stuffing, phishing, or further exploitation of authenticated vulnerabilities. The flaw does not directly reveal passwords or allow account takeover, but it significantly weakens security posture by exposing account existence [1].

Mitigation

The vendor released version 6.0.14, which addresses a stored XSS vulnerability (CVE-2022-44380) but does not fix this username enumeration issue; CENSUS notes that the fix for CVE-2022-44381 is not included in that release [1]. Administrators should apply any subsequent patches and monitor the vendor's repository for updates [2][3].