CVE-2024-47062

Name of the Vulnerable Software and Affected Versions Navidrome versions prior to 0.53.0

Description The issue is related to SQL Injection and Authentication Bypass in Navidrome Music Server. Navidrome automatically adds parameters in the URL to SQL queries, which can be exploited to access information by adding parameters like password=... in the URL. The names of the parameters are not properly escaped, leading to SQL Injections. Furthermore, the username is used in a LIKE statement, allowing people to log in with % instead of their username. This can be used to leak information and dump the contents of the database. Attackers can use the API endpoint /api/user to test whether some encrypted passwords start with a specific string, allowing them to slowly brute-force passwords. For example, attackers can use the following request: GET /api/user? end=36& order=DESC&password=AAA%. This results in an SQL query like password LIKE 'AAA%'.

Recommendations For versions prior to 0.53.0, upgrade to version 0.53.0 to fix the SQL Injection and Authentication Bypass vulnerabilities. As a temporary workaround, consider restricting access to the /api/user and /api/album API endpoints to minimize the risk of exploitation. Avoid using the password parameter in the URL until the issue is resolved. Restrict access to the userRepository function to prevent authentication weaknesses.