GHSA-xwx7-p63r-2rj8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xwx7-p63r-2rj8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-xwx7-p63r-2rj8/GHSA-xwx7-p63r-2rj8.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-xwx7-p63r-2rj8
- Aliases
-
- CVE-2024-56362
- Published
- 2024-12-23T20:17:44Z
- Modified
- 2024-12-23T20:27:14.290590Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Navidrome Stores JWT Secret in Plaintext in navidrome.db
- Details
-
Navidrome stores the JWT secret in plaintext in the
navidrome.dbdatabase file under thepropertytable. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could: - Forge valid tokens to impersonate users, including administrative accounts. - Gain unauthorized access to sensitive data or perform privileged actions. This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured. - Database specific
{ "nvd_published_at": "2024-12-23T18:15:07Z", "cwe_ids": [ "CWE-312" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-12-23T20:17:44Z" }- References
-
- https://github.com/navidrome/navidrome/security/advisories/GHSA-xwx7-p63r-2rj8
- https://nvd.nist.gov/vuln/detail/CVE-2024-56362
- https://github.com/navidrome/navidrome/commit/7f030b0859653593fd2ac0df69f4a313f9caf9ff
- https://github.com/navidrome/navidrome/commit/9cbdb20a318a49daf95888b1fd207d4d729b55f1
- https://github.com/navidrome/navidrome
- https://github.com/navidrome/navidrome/releases/tag/v0.54.1
Affected packages
Go / github.com/navidrome/navidrome
Package
- Name
- github.com/navidrome/navidrome
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/navidrome/navidrome