Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01OHZqLWN2NXctdjR2Ns4AA_tD
Navidrome has Multiple SQL Injections and ORM Leak
Security Advisory: Multiple Vulnerabilities in Navidrome
Summary
Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak).
Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections.
Finally, the username is used in a LIKE statement, allowing people to log in with % instead of their username.
Details
ORM Leak
When adding parameters to the URL, they are automatically included in an SQL LIKE statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information.
For example, attackers can use the following request to test whether some encrypted passwords start with AAA:
GET /api/user?_end=36&_order=DESC&password=AAA%
This results in an SQL query like password LIKE 'AAA%', allowing attackers to slowly brute-force passwords. (Also, any reason for using encryption instead of hashing?)
SQL Injections
When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped.
This behavior can be used to inject arbitrary SQL code (SQL Injection), for example:
GET /api/album?_end=36&_order=DESC&_sort=recently_added&_start=0&SELECT+*+FROM+USER--=123 HTTP/1.1
This is only an example, but you should see an error message in the logs.
Authentication Weakness
When retrieving the user for authentication, the following code is used:
func (r *userRepository) FindByUsername(username string) (model.User, error) {
sel := r.newSelect().Columns("").Where(Like{"user_name": username})
var usr model.User
err := r.queryOne(sel, &usr)
return &usr, err
}
This relies on a LIKE statement and allows users to log in with % instead of the legitimate username.
Proof of Concept (PoC)
See above.
Impact
These vulnerabilities can be used to leak information and dump the contents of the database.
Credit
Louis Nyffenegger from PentesterLab
Permalink: https://github.com/advisories/GHSA-58vj-cv5w-v4v6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OHZqLWN2NXctdjR2Ns4AA_tD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0005
EPSS Percentile: 0.21498
Identifiers: GHSA-58vj-cv5w-v4v6, CVE-2024-47062
References:
- https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6
- https://github.com/navidrome/navidrome/commit/3107170afd9f557a10f7031f23cb3c9e975a71f9
- https://nvd.nist.gov/vuln/detail/CVE-2024-47062
- https://github.com/advisories/GHSA-58vj-cv5w-v4v6
Blast Radius: 0.0
Affected Packages
go:github.com/navidrome/navidrome
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.53.0
Fixed in: 0.53.0
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.34.1, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.41.1, 0.42.0, 0.42.1, 0.43.0, 0.44.0, 0.44.1, 0.45.0, 0.45.1, 0.46.0, 0.47.0, 0.47.5, 0.48.0, 0.49.0, 0.49.1, 0.49.2, 0.49.3, 0.50.0, 0.50.1, 0.50.2, 0.51.0, 0.51.1, 0.52.0, 0.52.5
All unaffected versions: 0.53.0, 0.53.1, 0.53.2, 0.53.3