CVE-2022-1155
Old sessions not blocked by login enable function in Snipe-IT
Description
Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name, but all of those options logout ALL users, which could be kind of annoying. This issue is fixed in versions 6.0.0-RC-6 and 5.4.2.
How to fix CVE-2022-1155
To remediate CVE-2022-1155, upgrade the affected package to a fixed version below.
- —upgrade to 6.0.0-RC-6 or later
Is CVE-2022-1155 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 6.0.0-RC-1, < 6.0.0-RC-6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |