x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-56362 #3357

GoVulnBot · 2024-12-23T19:01:21Z

Advisory CVE-2024-56362 references a vulnerability in the following Go modules:

Module
github.com/navidrome/navidrome

Description:
Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1.

References:

ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-56362
FIX: navidrome/navidrome@7f030b0
FIX: navidrome/navidrome@9cbdb20
WEB: GHSA-xwx7-p63r-2rj8

Cross references:

github.com/navidrome/navidrome appears in 5 other report(s):
- data/reports/GO-2022-0302.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2022-23857 #302)
- data/reports/GO-2023-2414.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-wq59-4q6r-635r #2414)
- data/reports/GO-2024-2803.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-32963 #2803)
- data/reports/GO-2024-3029.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-hrmx-8jjv-g758 #3029)
- data/reports/GO-2024-3153.yaml (x/vulndb: potential Go vuln in github.com/navidrome/navidrome: GHSA-58vj-cv5w-v4v6 #3153)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/navidrome/navidrome
      vulnerable_at: 0.54.2
summary: CVE-2024-56362 in github.com/navidrome/navidrome
cves:
    - CVE-2024-56362
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-56362
    - fix: https://github.com/navidrome/navidrome/commit/7f030b0859653593fd2ac0df69f4a313f9caf9ff
    - fix: https://github.com/navidrome/navidrome/commit/9cbdb20a318a49daf95888b1fd207d4d729b55f1
    - web: https://github.com/navidrome/navidrome/security/advisories/GHSA-xwx7-p63r-2rj8
source:
    id: CVE-2024-56362
    created: 2024-12-23T19:01:21.183723696Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-01-07T01:12:33Z

Change https://go.dev/cl/640916 mentions this issue: data/reports: add 10 unreviewed reports

GoVulnBot added cve-year-2024 NeedsTriage labels Dec 23, 2024

tatianab added triaged and removed NeedsTriage labels Jan 7, 2025

gopherbot closed this as completed in 4ab2b0a Jan 7, 2025

GoVulnBot mentioned this issue Feb 24, 2025

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2025-27112 #3484

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-56362 #3357

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-56362 #3357

GoVulnBot commented Dec 23, 2024

gopherbot commented Jan 7, 2025

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-56362 #3357

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-56362 #3357

Comments

GoVulnBot commented Dec 23, 2024

gopherbot commented Jan 7, 2025