php · snipe/snipe-itHeads-up
Snipe-IT S3 Signature Image Authorization Bypass
Snipe-IT S3 signature image retrieval lacks authorization before temporary URL.
What changed
Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the authorize() call used by the local-file branch.
Who it affects
Snipe-IT instances using S3-backed deployments; authenticated users can exploit this to access signature images without proper authorization.
What to do today
Apply the patch from commit ded6515cbc27a28f07395da318483c2e96263259 to fix the authorization bypass.
The trail
Collected→
Audited→
Written→
Published