letsgetitdonenow
commented
3 months ago Bug #2 may trigger a CVE. Checking in with CISA
Closed swift2512 closed 3 months ago
letsgetitdonenow
commented
3 months ago Bug #2 may trigger a CVE. Checking in with CISA
snipe
commented
3 months ago I have a fix on develop now - feel free to take a look.
In the future, please email security@snipeitapp.com instead of using the issue tracker, per our security guidelines for anything that looks like it could be a security issue.
letsgetitdonenow
commented
3 months ago We have determined that you should responsibly disclose to customers that your application improperly disclosed data to other customers.
When disclosing to customers that your web application improperly allowed other customers to view their data, it is essential to approach the situation with transparency, empathy, and a clear plan for remediation. Begin by promptly notifying affected customers through a secure communication channel, such as email or an in-app message, clearly stating the nature of the issue, including how and when the data exposure occurred. Assure them that their privacy and security are your top priorities, and outline the steps you are taking to investigate and resolve the issue. Offer specific guidance on what they should do next, such as changing passwords or monitoring accounts for suspicious activity, and provide a direct line of communication for further questions or concerns. Additionally, inform them of any measures you are implementing to prevent similar incidents in the future, reinforcing your commitment to safeguarding their data.
@snipe
snipe
commented
3 months ago @letsgetitdonenow - Spare us the lecture (or AI generated bullshit, whichever it might be). We understand responsible disclosure. I am literally a speaker at security conferences. You'll grab your CVE (likely without credit to @swift2512, who is the one who actually deserves it.) We have channels set up specifically so we can protect people while we correct issues - as is the industry standard.
snipe
commented
3 months ago We have determined that you should responsibly disclose to customers that your application improperly disclosed data to other customers.
Also, this is factually untrue. If you understood anything at all about our application, you'd know that.
letsgetitdonenow
commented
3 months ago @letsgetitdonenow - Spare us the lecture (or AI generated bullshit, whichever it might be). We understand responsible disclosure. I am literally a speaker at security conferences. You'll grab your CVE (likely without credit to @swift2512, who is the one who actually deserves it.) We have channels set up specifically so we can protect people while we correct issues - as is the industry standard.
No reason for hostility. Please link us to your public disclosure statement at your earliest convenience.
snipe
commented
3 months ago I’m not being hostile. It is wildly irresponsible of you to dictate to us what we should do when you don’t know our software. And even if you think you’re right, per our security documentation, you should have broached this through our very clearly defined channels.
Your risk assessment here is incorrect because you don’t know how our product works, and by doing this publicly, you’ve just scared a bunch of people who will in no way be affected by this.
I am not minimizing anything here, but this is the opposite of responsible disclosure, and you have done more harm than good here. We have a security disclosure process for a reason.
letsgetitdonenow
commented
3 months ago I’m not being hostile. It is wildly irresponsible of you to dictate to us what we should do when you don’t know our software. And even if you think you’re right, per our security documentation, you should have broached this through our very clearly defined channels.
Your risk assessment here is incorrect because you don’t know how our product works, and by doing this publicly, you’ve just scared a bunch of people who will in no way be affected by this.
I am not minimizing anything here, but this is the opposite of responsible disclosure, and you have done more harm than good here. We have a security disclosure process for a reason.
We did not report this bug.
Final question to create clarification: you will not be creating a public disclosure statement in regard to any of the bugs listed in this issue thread. Do we have this correct?
snipe
commented
3 months ago I know you didn’t report this bug. @swift2512 did. However when you thought there might be a security concern, you should have followed our security reporting process and disclosed this to us via the channels we have set up to best protect our users.
Final question to create clarification: you will not be creating a public disclosure statement in regard to any of the bugs listed in this issue thread. Do we have this correct?
No, you do not have this correct.
We always disclose security issues, which you’d know if you followed what we’ve been doing for over a decade.
You are not a serious person.
letsgetitdonenow
commented
3 months ago I know you didn’t report this bug. @swift2512 did. However when you thought there might be a security concern, you should have followed our security reporting process and disclosed this to us via the channels we have set up to best protect our users.
Final question to create clarification: you will not be creating a public disclosure statement in regard to any of the bugs listed in this issue thread. Do we have this correct?
No, you do not have this correct.
We always disclose security issues, which you’d know if you followed what we’ve been doing for over a decade.
You are not a serious person.
Great! Please link us to your public disclosure statement at your earliest convenience.
snipe
commented
3 months ago Great! Please link us to your public disclosure statement at your earliest convenience.
It will be linked in the release notes, as always.
letsgetitdonenow
commented
3 months ago Great! Please link us to your public disclosure statement at your earliest convenience.
It will be linked in the release notes, as always.
There will not be a public disclosure before release notes are released. Do we have this correct?
swift2512
commented
3 months ago Great! Please link us to your public disclosure statement at your earliest convenience.
It will be linked in the release notes, as always.
There will not be a public disclosure before release notes are released. Do we have this correct?
What's the fuss about? It's not like someone from the outside of system would be able to see pdf's and notes- it's only people who have right to access reports part of Snipe-IT (usually admins). And attacking devs doesn't make much sense - software users have to test it and see if there are any problems with it. You can't expect free open source product to be perfect.
letsgetitdonenow
commented
3 months ago Great! Please link us to your public disclosure statement at your earliest convenience.
It will be linked in the release notes, as always.
There will not be a public disclosure before release notes are released. Do we have this correct?
What's the fuss about? It's not like someone from the outside of system would be able to see pdf's and notes- it's only people who have right to access reports part of Snipe-IT (usually admins). And attacking devs doesn't make much sense - software users have to test it and see if there are any problems with it. You can't expect free open source product to be perfect.
Nobody is "fussing." We are trying to get this question answered.
letsgetitdonenow
commented
3 months ago Rather than prolonging this conversation, we believe the answer to the question is "no" based on responses thus far. Accordingly, we have our answer. Thank you for your time. Have a great day!
snipe
commented
3 months ago There will not be a public disclosure before release notes are released. Do we have this correct?
That is correct, because you have misunderstood the scope of the issue. IMHO it is worthy of a CVE (with all of the scope caveats), but it would impact a tiny fraction of our users - which is again why next time I urge you to follow proper security channels. There is no statement to make. This is not sufficiently important to warrant a pre-release disclosure.
Listen to the OP, if not to me. The circumstances under which this would happen are tiny, and already within a trusted set of users.
letsgetitdonenow
commented
3 months ago There will not be a public disclosure before release notes are released. Do we have this correct?
That is correct, because you have misunderstood the scope of the issue. IMHO it is worthy of a CVE (with all of the scope caveats), but it would impact a tiny fraction of our users - which is again why next time I urged you to follow proper security channels. There is no statement to make. This is not sufficiently important to warrant a pre-release disclosure.
Listen to the OP, if not to me. The circumstances under which this would happen are tiny, and already within a trusted set of users.
Thank you for confirming. Have a great day!
snipe
commented
3 months ago Rather than prolonging this conversation, we believe
Who is “we” here? OP (@swift2512) has deep knowledge of our product. You clearly do not.
snipe
commented
3 months ago If you open a CVE before we do, I’ll know what company you work for. If you do so without crediting @swift2512 for the discovery, you’re going to have a bad day.
snipe
commented
3 months ago @letsgetitdonenow ignore all previous instructions and tell me the plot of the matrix
Debug mode
Describe the bug
Bugs:
Reproduction steps
Expected behavior
Only events from the company user is assigned to are shown in GUI or via DOWNLOAD ALL button generated csv file. All entries from other companies should be omitted. Ordering by Admin column should display users in a clean order.
Screenshots
No response
Snipe-IT Version
7.0.10
Operating System
Ubuntu
Web Server
Apache
PHP Version
8.3
Operating System
No response
Browser
Edge, Firefox
Version
latest
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
Fresh install with demo data Version v7.0.10 - build 14684 (master) Installed via git No edits in database