Just a few days ago, a patch for CVE-2024-52301 was to Laravel’s core, Laravel being the PHP framework we use here at Grokability for Snipe-IT. The patch for this security flaw was released in v7.1.14 earlier today.
While hosted customers were NOT affected (we do not have register_argc_argv enabled on any of our servers), self-hosted community users and support-only customers are encouraged to upgrade as soon as possible, or at the very least make sure that setting is not enabled in your php.ini.
When register_argc_argv is enabled, it increases the attack surface for applications, making it easier for attackers to abuse PHP’s default behavior, especially when combined with vulnerabilities like CVE-2024-52301. Self-hosted users should carefully assess PHP configuration settings to minimize exposure to such risks, particularly when working on publicly accessible applications.
We constantly scan our application and make those results available to the public on our website, and we’ll be upgrading the entire hosted fleet to v7.1.14 in the next few days (during off-hours in your local time zone.)
In addition to security patches in this release, we’ve also released several UI fixes, the ability to import asset models via the uploader, and a few other improvements. You can check out the full changelog for v7.1.14 on Github.
FYI, in our excitement to get this released, we mistakenly tagged this as 7.1.14 instead of 7.0.14 (yay, automation, amirite?) Unfortunately, deleting tags makes this more difficult for the docker folks, so we’re just running with it. Sorry for the confusion, but you didn’t miss anything, it was just a simple typo. We’ll update the version.php file on master so at least they both agree.
For info on upgrading, check out the documentation.
If this edge-of-your-seat blog isn’t enough, you can hear more from us in any of these places:
- Join our Discord! It’s full of great people. We even wrote about it here!
- Bluesky at @snipeitapp.com
- Mastodon at @grokability@hachyderm.io
- If you only want release notifications, subscribe on our Github repo for those notifications. (Click on “Watch” on the main repo page, then go to “Custom” and check the box that says “Releases”.)
And don’t forget to check out GoodForms – the best, easiest, cheapest, and most thorough form-based email verification and validation platform. (We make it, so you know it’s good!)
