Snyff

**Name of the Vulnerable Software and Affected Versions** cjwt versions prior to 2.3.0 **Description** The issue is related to algorithm confusion when verifying the type of signature used in JSON Web Tokens (JWT). If a system does not differentiate between HMAC signed tokens and RS/EC/PS signed tokens during verification, it becomes vulnerable to this kind of attack. An attacker could craft a token with the `alg` field set to "HS256" while the server expects an asymmetric algorithm like "RS256". The server might mistakenly use the wrong verification method, such as using a public key as the HMAC secret, leading to unauthorized access. For RSA, the key can be computed from a few signatures. For Elliptic Curve (EC), two potential keys can be recovered from one signature. This can be used to bypass the signature mechanism if an application relies on asymmetrically signed tokens. **Recommendations** For versions prior to 2.3.0, upgrade to version 2.3.0 or later to address the issue. There are no known workarounds for this vulnerability. As a temporary workaround, consider restricting access to the vulnerable token verification mechanism until a patch is available. Avoid using the `alg` field in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Navidrome versions prior to 0.53.0 **Description** The issue is related to SQL Injection and Authentication Bypass in Navidrome Music Server. Navidrome automatically adds parameters in the URL to SQL queries, which can be exploited to access information by adding parameters like `password=...` in the URL. The names of the parameters are not properly escaped, leading to SQL Injections. Furthermore, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. This can be used to leak information and dump the contents of the database. Attackers can use the API endpoint `/api/user` to test whether some encrypted passwords start with a specific string, allowing them to slowly brute-force passwords. For example, attackers can use the following request: `GET /api/user? end=36& order=DESC&password=AAA%`. This results in an SQL query like `password LIKE 'AAA%'`. **Recommendations** For versions prior to 0.53.0, upgrade to version 0.53.0 to fix the SQL Injection and Authentication Bypass vulnerabilities. As a temporary workaround, consider restricting access to the `/api/user` and `/api/album` API endpoints to minimize the risk of exploitation. Avoid using the `password` parameter in the URL until the issue is resolved. Restrict access to the `userRepository` function to prevent authentication weaknesses.

Name of the Vulnerable Software and Affected Versions: HTTPEngine (affected versions not specified) Description: The issue arises from improper sanitization of user input in HTTPEngine.Handle, allowing directory traversal. This enables an attacker to read files outside the target directory, provided the server has the necessary permissions to access those files. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.11.82.1218 **Description** A directory traversal issue exists in the file-upload functionality, allowing an attacker to create a file under data/sessions on the server. **Recommendations** For versions prior to 0.11.82.1218, update to version 0.11.82.1218 or later to resolve the issue.