Just a few days ago, a patch for CVE-2024-52301 was to Laravel’s core, Laravel being the PHP framework we use here at Grokability for Snipe-IT. The patch for this security flaw was released in v7.1.14 earlier today. While hosted customers were NOT affected (we do not have register_argc_argv enabled on any of our servers), self-hosted community users and support-only customers are...
The Joys of Public Demos
As you likely know, we have two public demos of Snipe-IT, the version that’s on the master branch, and the version that’s on develop. We’ve had these public demos for years, so we’ve learned a thing or two about how people behave on public demos. 99% of the time, folks use the demos for their intended purpose, but that 1% can make things really annoying. We’ve seen...
Quick Update on polkit/pwnkit
The internet is alight this week with news of a widespread vulnerability in the Linux “policy kit” framework, specifically a root compromise via the pkexec program, designated CVE-2021-4034. Most of our systems do not fall under this advisory, and the ones that do have been fully patched. Of note, our Snipe-IT hosting systems were completely unaffected by this advisory.As always, we...
Quick update on Log4j
Having received multiple inquiries from customers about how (or whether) we are impacted by the recently announced log4j “log4shell” vulnerability, we felt it prudent to update all of our customers (and open source users) en-masse. The short answer, and good news for all of us, is that we are not impacted at all, as we don’t use log4j, or any Java, in any of our systems. This includes both...