CVE-2024-47062
Published: 20 September 2024
Summary
CVE-2024-47062 is a critical-severity SQL Injection (CWE-89) vulnerability in Navidrome Navidrome. Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Navidrome, an open source web-based music collection server and streamer, contains multiple injection flaws stemming from automatic incorporation of URL parameters into SQL queries. Parameter names are not escaped, enabling direct SQL injection, while certain parameters are appended to LIKE clauses. This permits attackers to supply values such as password=AAA to generate queries like password LIKE 'AAA%', and the username field is similarly used in an unescaped LIKE predicate that accepts % wildcards.
An attacker with low privileges can supply crafted URL parameters to leak encrypted password prefixes, brute-force credentials incrementally, or extract arbitrary database contents. The issues map to CWE-89 and carry a CVSS 4.0 score of 9.4, reflecting network-accessible exploitation with high impact on confidentiality, integrity, and availability.
The GitHub Security Advisory GHSA-58vj-cv5w-v4v6 states that the vulnerabilities are resolved in release 0.53.0 and that no workarounds exist; administrators are advised to upgrade immediately. The associated EPSS score remains elevated near its observed peak of 0.8677.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2719
Vulnerability details
Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the…
more
names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.