Snipe-IT 8.4.0 IDOR Vulnerability Allows Unauthorized File Deletion
A class-level authorization check in the file deletion endpoint allows any authenticated user with generic asset edit permissions to delete files attached to any asset, regardless of ownership or company assignment.
What changed
A class-level authorization check in the file deletion endpoint allows any authenticated user with generic asset edit permissions to delete files attached to any asset, regardless of ownership or company assignment. This affects both web and API controllers in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) and potentially earlier versions.
Who it affects
All Snipe-IT installations running version 8.4.0 and potentially earlier versions. Any authenticated user with generic asset edit permissions can delete files attached to any asset.
What to do today
Apply the patch from commit 8bc7d50e35d93eee5a0d48b4923e497937cf93fd to fix the vulnerability.