Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02MzZqLTd4N3ItZ3Z3Ms03Uw
Old sessions not blocked by login enable function in Snipe-IT
Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.
Permalink: https://github.com/advisories/GHSA-636j-7x7r-gvw2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MzZqLTd4N3ItZ3Z3Ms03Uw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago
CVSS Score: 7.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
EPSS Percentage: 0.00071
EPSS Percentile: 0.33539
Identifiers: GHSA-636j-7x7r-gvw2, CVE-2022-1155
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1155
- https://github.com/snipe/snipe-it/commit/bdabbbd4e98e88ee01e728ceb4fd512661fbd38d
- https://huntr.dev/bounties/ebc26354-2414-4f72-88aa-f044aec2b2e1
- https://github.com/snipe/snipe-it/pull/10876
- https://github.com/snipe/snipe-it/releases/tag/v6.0.0-RC-6
- https://github.com/snipe/snipe-it/releases/tag/v5.4.2
- https://github.com/advisories/GHSA-636j-7x7r-gvw2
Blast Radius: 0.0
Affected Packages
packagist:snipe/snipe-it
Dependent packages: 0Dependent repositories: 1
Downloads: 431 total
Affected Version Ranges: < 5.4.2, >= 6.0.0-RC-1, <= 6.0.0-RC-5
Fixed in: 5.4.2, 6.0.0-RC-6
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 3.1.0, 3.2.0, 3.3.0, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.6.15, 4.6.16, 4.6.17, 4.6.18, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.8.0, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.4.0, 5.4.1, 6.0.0-RC-1, 6.0.0-RC-2, 6.0.0-RC-3, 6.0.0-RC-4, 6.0.0-RC-5
All unaffected versions: 5.4.2, 5.4.3, 5.4.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.4.0, 6.4.1, 6.4.2, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.1.14, 7.1.15