Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-47062 #3154

Closed
GoVulnBot opened this issue Sep 20, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-47062 #3154

GoVulnBot opened this issue Sep 20, 2024 · 1 comment
Labels
duplicate triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-47062 references a vulnerability in the following Go modules:

Module
github.com/navidrome/navidrome

Description:
Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a LIKE statement, allowing people to log in with % instead of their username. When adding parameters to the URL, they are automatically included in an SQL LIKE statement (depending on the parameter's name). This allo...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/navidrome/navidrome
      vulnerable_at: 0.53.1
summary: CVE-2024-47062 in github.com/navidrome/navidrome
cves:
    - CVE-2024-47062
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-47062
    - web: https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6
source:
    id: CVE-2024-47062
    created: 2024-09-20T21:01:20.040914064Z
review_status: UNREVIEWED
@tatianab
Copy link
Contributor

Duplicate of #3153

@tatianab tatianab marked this as a duplicate of #3153 Sep 26, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
duplicate triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot