CVE-2024-5685

HIGH EPSS 32.6%
Published Jun 14, 20242y ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Jun 14, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
32.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
snipeitappsnipe-it*≥4.6.17  –  <6.4.2

References 5

  • advisory.checkmarx.net https://advisory.checkmarx.net/?search=CVE-2024-5685
    Third Party Advisory
  • devhub.checkmarx.com https://devhub.checkmarx.com/cve-details/CVE-2024-5685/
    Third Party Advisory
  • github.com https://github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201cc1
    Patch
  • github.com https://github.com/snipe/snipe-it/pull/14745
    Issue Tracking
  • github.com https://github.com/snipe/snipe-it/releases/tag/v6.4.2
    Release Notes

Remediation

  • github.com https://github.com/snipe/snipe-it/commit/34f1ea1c0ecd403047cd1327569ee391a7201cc1
    Patch