CVE-2022-1155
published 2022-03-30CVE-2022-1155: Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.
PriorityP336high7.4CVSS 3.1
AVNACLPRLUINSCCLILAL
EPSS
0.98%
57.7th percentile
Old sessions are not blocked by the login enable function. in GitHub repository snipe/snipe-it prior to 5.3.10.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| snipe | snipe-it | >= 0 < 5.4.2 | 5.4.2 |
| snipe | snipe-it | >= 6.0.0-RC-1 < 6.0.0-RC-6 | 6.0.0-RC-6 |
| snipe | snipe_snipe-it | >= unspecified < 5.3.10 | 5.3.10 |
| snipeitapp | snipe-it | < 5.3.10 | 5.3.10 |
| snipeitapp | snipe-it | — | — |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints
ghsa·2022-07-28
CVE-2022-36887 [MEDIUM] CWE-352 Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints
Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints
Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations.
Job Configuration History Plugin 1156.v536a_97b_8d649 requires POST requests for the affected HTTP endpoints.
OSV
Old sessions not blocked by login enable function in Snipe-IT
osv·2022-03-31
CVE-2022-1155 [HIGH] Old sessions not blocked by login enable function in Snipe-IT
Old sessions not blocked by login enable function in Snipe-IT
Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.
GHSA
Old sessions not blocked by login enable function in Snipe-IT
ghsa·2022-03-31
CVE-2022-1155 [HIGH] CWE-613 Old sessions not blocked by login enable function in Snipe-IT
Old sessions not blocked by login enable function in Snipe-IT
Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-03-30
Published