CVE-2024-47062

{"id": "CVE-2024-47062", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 9.4, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "HIGH", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-09-20T19:15:16.760", "references": [{"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Navidrome es un servidor y transmisor de m\u00fasica de c\u00f3digo abierto basado en la web. Navidrome agrega autom\u00e1ticamente par\u00e1metros en la URL a las consultas SQL. Esto se puede explotar para acceder a la informaci\u00f3n agregando par\u00e1metros como `password=...` en la URL (filtraci\u00f3n de ORM). Adem\u00e1s, los nombres de los par\u00e1metros no se escapan correctamente, lo que lleva a inyecciones SQL. Finalmente, el nombre de usuario se usa en una declaraci\u00f3n `LIKE`, lo que permite a las personas iniciar sesi\u00f3n con `%` en lugar de su nombre de usuario. Al agregar par\u00e1metros a la URL, se incluyen autom\u00e1ticamente en una declaraci\u00f3n SQL `LIKE` (seg\u00fan el nombre del par\u00e1metro). Esto permite a los atacantes recuperar potencialmente informaci\u00f3n arbitraria. Por ejemplo, los atacantes pueden usar la siguiente solicitud para probar si algunas contrase\u00f1as cifradas comienzan con `AAA`. Esto da como resultado una consulta SQL como `password LIKE 'AAA%'`, lo que permite a los atacantes forzar lentamente las contrase\u00f1as. Al agregar par\u00e1metros a la URL, se agregan autom\u00e1ticamente a una consulta SQL. Los nombres de los par\u00e1metros no se escapan correctamente. Este comportamiento se puede utilizar para inyectar c\u00f3digo SQL arbitrario (inyecci\u00f3n SQL). Estas vulnerabilidades se pueden utilizar para filtrar informaci\u00f3n y volcar el contenido de la base de datos y se han solucionado en la versi\u00f3n 0.53.0. Se recomienda a los usuarios que actualicen la versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-09-26T13:32:55.343", "sourceIdentifier": "security-advisories@github.com"}