CVE-2024-47062
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-47062
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47062.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-47062
- Aliases
- Published
- 2024-09-20T19:15:16Z
- Modified
- 2025-08-27T09:01:14.424212Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like
password=...in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in aLIKEstatement, allowing people to log in with%instead of their username. When adding parameters to the URL, they are automatically included in an SQLLIKEstatement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start withAAA. This results in an SQL query likepassword LIKE 'AAA%', allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. - References
Affected packages
Git / github.com/navidrome/navidrome
Affected ranges
- Type
- GIT
- Repo
- https://github.com/navidrome/navidrome
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed