SQL Injection Vulnerability in Navidrome Product
CVE-2022-23857

6.5MEDIUM

Key Information:

Vendor: Navidrome
Status: Navidrome
Vendor: CVE Published:; 24 January 2022

What is CVE-2022-23857?

The Navidrome application prior to version 0.47.5 is susceptible to SQL injection attacks through the processing of specially crafted Smart Playlists. This vulnerability allows authenticated users to manipulate database queries to extract sensitive information, including user data from the database. Compromised data may include encrypted passwords, posing a significant security risk for affected systems. It is crucial for users to upgrade to version 0.47.5 or later to safeguard against these potential exploits.

References

https://github.com/navidrome/navidrome/releases/tag/v0.47.5

x_refsource_MISC

https://github.com/navidrome/navidrome/commit/9e79b5cbf2a...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 24, 2022
Vulnerability Reserved
Jan 24, 2022