Vulnerability Description
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.
CVSS Score
7.6
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Snipeitapp | Snipe-It | >= 4.6.17, < 6.4.2 |
Related Weaknesses (CWE)
References
- https://advisory.checkmarx.net/?search=CVE-2024-5685Third Party Advisory
- https://devhub.checkmarx.com/cve-details/CVE-2024-5685/Third Party Advisory
- https://github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201ccPatch
- https://github.com/snipe/snipe-it/pull/14745Issue Tracking
- https://github.com/snipe/snipe-it/releases/tag/v6.4.2Release Notes
- https://advisory.checkmarx.net/?search=CVE-2024-5685Third Party Advisory
- https://devhub.checkmarx.com/cve-details/CVE-2024-5685/Third Party Advisory
- https://github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201ccPatch
- https://github.com/snipe/snipe-it/pull/14745Issue Tracking
- https://github.com/snipe/snipe-it/releases/tag/v6.4.2Release Notes
FAQ
What is CVE-2024-5685?
CVE-2024-5685 is a vulnerability with a CVSS score of 7.6 (HIGH). Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.1...
How severe is CVE-2024-5685?
CVE-2024-5685 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-5685?
Check the references section above for vendor advisories and patch information. Affected products include: Snipeitapp Snipe-It.