Web-Based Music Collection Server Vulnerability in Navidrome
CVE-2024-56362

7.1HIGH

Key Information:

Vendor

Navidrome

Status
Navidrome
Vendor
CVE Published:
23 December 2024

What is CVE-2024-56362?

Navidrome, a popular open source web-based music collection server, has a security vulnerability stemming from the insecure handling of JSON Web Token (JWT) secrets. The JWT secret is stored in plaintext within the navidrome.db database file, specifically under the property table. This creates a potential security risk as anyone with access to the database can easily retrieve the JWT secret, compromising the integrity and confidentiality of the application. To mitigate this issue, it is strongly recommended to upgrade to version 0.54.1 or later, where this vulnerability has been addressed.

Affected Version(s)

navidrome < 0.54.1

References

https://github.com/navidrome/navidrome/security/advisorie...
x_refsource_CONFIRM
https://github.com/navidrome/navidrome/commit/7f030b08596...
x_refsource_MISC
https://github.com/navidrome/navidrome/commit/9cbdb20a318...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-56362 : Web-Based Music Collection Server Vulnerability in Navidrome