CVE-2022-1155 – snipe/snipe-it

Package

Manager: composer
Name: snipe/snipe-it
Vulnerable Version: >=6.0.0-rc-1 <6.0.0-rc-6 || >=0 <5.4.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.00241 pctl0.47239

Details

Old sessions not blocked by login enable function in Snipe-IT Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.

Metadata

Created: 2022-03-31T00:00:22Z
Modified: 2022-04-13T13:28:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-636j-7x7r-gvw2/GHSA-636j-7x7r-gvw2.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-636j-7x7r-gvw2
Finding: F280
Auto approve: 1