High severityNVD Advisory· Published Jun 14, 2024· Updated Aug 1, 2024
Broken Function Level Authorization (BFLA) in snipe/snipe-it
CVE-2024-5685
Description
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snipe/snipe-itPackagist | < 6.4.2 | 6.4.2 |
Affected products
2- Range: v4.6.17
Patches
Vulnerability mechanics
References
8- advisory.checkmarx.netghsathird-party-advisoryWEB
- devhub.checkmarx.com/cve-details/CVE-2024-5685/mitrethird-party-advisory
- github.com/advisories/GHSA-544r-fc65-v832ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-5685ghsaADVISORY
- devhub.checkmarx.com/cve-details/CVE-2024-5685ghsaWEB
- github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201cc1ghsaWEB
- github.com/snipe/snipe-it/pull/14745ghsaWEB
- github.com/snipe/snipe-it/releases/tag/v6.4.2ghsarelease-notesWEB
News mentions
0No linked articles in our index yet.