CVE-2022-23064
📋 TL;DR
CVE-2022-23064 is a host header injection vulnerability in Snipe-IT that allows attackers to send password reset links pointing to attacker-controlled servers. When users click these links, their password reset tokens are leaked, enabling account takeover. All Snipe-IT installations from v3.0-alpha through v5.3.7 are affected.
💻 Affected Systems
- Snipe-IT
📦 What is this software?
Snipe It by Snipeitapp
Snipe It by Snipeitapp
Snipe It by Snipeitapp
Snipe It by Snipeitapp
Snipe It by Snipeitapp
Snipe It by Snipeitapp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts, including administrative accounts, leading to full system control and potential data exfiltration.
Likely Case
Targeted account takeover of specific users, potentially including administrators, leading to unauthorized access and privilege escalation.
If Mitigated
No impact if proper input validation and host header verification are implemented.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests but does not require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.3.8 and later
Vendor Advisory: https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc
Restart Required: No
Instructions:
1. Update Snipe-IT to version 5.3.8 or later. 2. Apply the patch from the GitHub commit. 3. Verify the fix by testing password reset functionality.
🔧 Temporary Workarounds
Web Server Host Header Validation
allConfigure web server (Apache/Nginx) to validate and restrict host headers.
# Apache: Set UseCanonicalName On in httpd.conf
# Nginx: Set server_name directive with valid hosts
Application Firewall Rules
allImplement WAF rules to block malicious host headers.
# Example ModSecurity rule: SecRule REQUEST_HEADERS:Host "!@rx ^yourdomain\.com$" "id:1001,phase:1,deny"
🧯 If You Can't Patch
- Implement strict host header validation at the reverse proxy or load balancer level.
- Disable password reset functionality temporarily if not critical.
🔍 How to Verify
Check if Vulnerable:
Check if Snipe-IT version is between v3.0-alpha and v5.3.7 by examining the application version in the admin panel or configuration files.Check Version:
php artisan --version (for Snipe-IT) or check .env file for APP_VERSIONVerify Fix Applied:
Test password reset functionality with crafted host headers; requests should be rejected or use the correct domain.📡 Detection & Monitoring
Log Indicators:
- Unusual host header values in HTTP logs
- Multiple failed password reset attempts from single IP
- Password reset requests with non-standard domains
Network Indicators:
- HTTP requests with manipulated Host headers to password reset endpoints
- Outbound connections to suspicious domains after password reset clicks
SIEM Query:
source="web_logs" AND (url="*/password/reset*" OR url="*/auth/password*" OR url="*/forgot-password*") AND (host_header!="*yourdomain.com*" OR host_header="*attacker*" OR host_header="*malicious*" OR host_header="*evil*")🔗 References
- https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23064
- https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23064
