CVE-2021-3858
📋 TL;DR
CVE-2021-3858 is a Cross-Site Request Forgery (CSRF) vulnerability in Snipe-IT that allows attackers to trick authenticated users into performing unintended actions. This affects all Snipe-IT users with authenticated sessions, potentially leading to unauthorized modifications of asset data.
💻 Affected Systems
- Snipe-IT
📦 What is this software?
Snipe It by Snipeitapp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate asset data, delete records, or modify user permissions through forged requests executed by authenticated administrators.
Likely Case
Unauthorized modification of asset information, creation of fake assets, or alteration of existing asset details by exploiting authenticated user sessions.
If Mitigated
With proper CSRF protections, requests would be rejected unless they include valid anti-CSRF tokens, preventing unauthorized actions.
🎯 Exploit Status
CSRF attacks are well-understood and easy to implement. The vulnerability requires the victim to be authenticated to Snipe-IT and visit a malicious page.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 84c73aae5dcafa9529ceeeda6e8cdda5a42129c3 and later
Vendor Advisory: https://github.com/snipe/snipe-it/commit/84c73aae5dcafa9529ceeeda6e8cdda5a42129c3
Restart Required: No
Instructions:
1. Update Snipe-IT to the latest version or apply commit 84c73aae5dcafa9529ceeeda6e8cdda5a42129c3. 2. Verify CSRF tokens are properly implemented in all forms. 3. Clear browser caches if experiencing issues.
🔧 Temporary Workarounds
Implement CSRF Protection Middleware
allAdd CSRF token validation to all state-changing requests
# This requires code modification. Add CSRF token validation in your Snipe-IT middleware configuration.
Use SameSite Cookies
allConfigure session cookies with SameSite=Strict attribute to prevent CSRF
# In your web server or application configuration, set: session.cookie_samesite = Strict
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF patterns
- Require re-authentication for sensitive actions and implement additional confirmation steps
🔍 How to Verify
Check if Vulnerable:
Check if your Snipe-IT version is older than commit 84c73aae5dcafa9529ceeeda6e8cdda5a42129c3. Review forms for missing CSRF tokens.Check Version:
Check Snipe-IT version in admin panel or run: php artisan --version (for Laravel-based installations)Verify Fix Applied:
Verify that all forms include CSRF tokens and that POST requests without valid tokens are rejected. Test with CSRF testing tools.📡 Detection & Monitoring
Log Indicators:
- Multiple failed POST requests missing CSRF tokens
- Unexpected asset modifications from unusual IP addresses
Network Indicators:
- POST requests to Snipe-IT endpoints without Referer headers or with external origins
SIEM Query:
web_requests method=POST AND (NOT csrf_token=*) AND uri_path CONTAINS '/snipe-it/'