Authentication bypass vulnerability in navidrome's subsonic endpoint
CVE-2023-51442

8.6HIGH

Key Information:

Vendor: navidrome
Status: navidrome
Vendor: CVE Published:; 21 December 2023

What is CVE-2023-51442?

Navidrome, an open-source web-based music collection server, has a vulnerability in its subsonic endpoint which allows for authentication bypass. This flaw permits unauthorized access to user accounts by leveraging a JSON Web Token (JWT) that is poorly secured with the key 'not so secret'. The issue affects Navidrome instances that have never been restarted and do not adequately protect the '/rest/' subsonic endpoint, which is commonly left exposed in standard deployments. Affected instances are now at risk as this vulnerability can easily be exploited if left unchecked. This security issue has been addressed in version 0.50.2.

Affected Version(s)

navidrome <= 0.50.1

References

https://github.com/navidrome/navidrome/security/advisorie...

x_refsource_CONFIRM

https://github.com/navidrome/navidrome/commit/1132abb0135...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 21, 2023
Vulnerability Reserved
Dec 19, 2023