CVE-2022-3173 Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.

We recently found a Snipetest instance that was using invalid passwords and had been affected by this issue. Here is a snippet of the issue:
How could a user in possession of such an invalid password have started a test? Unauthenticated test users can start tests and push invalid commits to the repository. This can be done through a phishing attack, or through a malicious party pushing malicious commits, or through a situation where a test user has been compromised. This is a preventable issue, as all it takes is that the Snipetest setup be updated to use a hardened password configuration.

Steps to Reproduce

1. Start a test
2. Go to "Push Commit" and push an invalid commit
3. The issue will manifest itself in the following way:
* Invalid password will be sent as a string to the server
* An error will appear stating that the password is invalid
4. Open the browser console and notice that the password is being sent as a string to the server, instead of being hash-encoded

What is password hardening?

The Snipetest configuration can be updated to harden the password by configuring a custom password policy. By using this method, only passwords that meet certain requirements will be accepted. These include:

1) The length must be between 6 and 10 characters
2) The characters must contain at least one upper-case letter, one lower-case letter, one digit, and one special character
3) The first two characters must be different from each other

Detecting a Hardened Password Policy Violation

Snipetest is a tool used to create and run tests on code. This issue occurred due to a lack of proper password configuration. In addition, the following rule was not enabled:
"passwords must include 8 characters alphanumeric and at least one symbol "
With this rule disabled, any user could bypass the validation process and start tests without authenticating themselves with their password.
How could we detect this type of situation?
The easiest way of detecting that a commit is made by an unauthenticated user is to use git for tracking changes in commits. If the repository has been cloned from a remote repository, it can be easily tracked which commits are made by unauthenticated users. Other metrics like number of commits or number of files changed can also be used as indicators.

Timeline

Published on: 09/17/2022 07:15:00 UTC
Last modified on: 09/21/2022 06:20:00 UTC

References

• https://huntr.dev/bounties/6d8ffcc6-c6e3-4385-8ead-bdbbbacf79e9
• https://github.com/snipe/snipe-it/commit/dcab1381e7ee0b7fd1df3a34750dbff4b79185b2
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3173