x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-hrmx-8jjv-g758

[GoVulnBot]

Advisory GHSA-hrmx-8jjv-g758 references a vulnerability in the following Go modules:

Module
github.com/navidrome/navidrome

Description:
Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.

References:

• ADVISORY: GHSA-hrmx-8jjv-g758
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41259
• WEB: https://gist.github.com/nyxfqq/d192af10b53a363e2d9e430068333e04

Cross references:

• github.com/navidrome/navidrome appears in 3 other report(s):
  • data/excluded/GO-2022-0302.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2022-23857 #302) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-2414.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-wq59-4q6r-635r #2414) EFFECTIVELY_PRIVATE
  • data/reports/GO-2024-2803.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-32963 #2803)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/navidrome/navidrome
      vulnerable_at: 0.52.5
summary: Navidrome uses MD5 hashing algorithm in github.com/navidrome/navidrome
cves:
    - CVE-2024-41259
ghsas:
    - GHSA-hrmx-8jjv-g758
references:
    - advisory: https://github.com/advisories/GHSA-hrmx-8jjv-g758
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41259
    - web: https://gist.github.com/nyxfqq/d192af10b53a363e2d9e430068333e04
source:
    id: GHSA-hrmx-8jjv-g758
    created: 2024-08-02T14:03:00.208353688Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports