CVE-2024-5685

Published: Jun 14, 2024Modified: Mar 7, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.

Affected (1)

Products: Snipeitapp: Snipe It

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Snipeitapp Snipe It	From 4.6.17 to 6.4.2

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (10)

https://advisory.checkmarx.net/?search=CVE-2024-5685

Source: 596c5446-0ce5-4ba2-aa66-48b3b757a647

Third Party Advisory

https://devhub.checkmarx.com/cve-details/CVE-2024-5685/

Source: 596c5446-0ce5-4ba2-aa66-48b3b757a647

Third Party Advisory

https://github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201cc1

Source: 596c5446-0ce5-4ba2-aa66-48b3b757a647

Patch

https://github.com/snipe/snipe-it/pull/14745

Source: 596c5446-0ce5-4ba2-aa66-48b3b757a647

Issue Tracking

https://github.com/snipe/snipe-it/releases/tag/v6.4.2

Source: 596c5446-0ce5-4ba2-aa66-48b3b757a647

Release Notes

https://advisory.checkmarx.net/?search=CVE-2024-5685

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://devhub.checkmarx.com/cve-details/CVE-2024-5685/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201cc1

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/snipe/snipe-it/pull/14745

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://github.com/snipe/snipe-it/releases/tag/v6.4.2

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

Timeline

No history available yet.