GHSA-33g4-646g-qwmmMediumCVSS 6.3
Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update
🔗 CVE IDs covered (1)
📋 Description
Impact
The BulkAssetsController::update() method accepts company_id directly from user input without calling Company::getIdForCurrentUser(), the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation.
Patches
Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18
🎯 Affected products1
- composer/snipe/snipe-it:<= 8.4.1