Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-32963 #2803

Open
GoVulnBot opened this issue May 1, 2024 · 1 comment
Open

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-32963 #2803

GoVulnBot opened this issue May 1, 2024 · 1 comment
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

CVE-2024-32963 references github.com/navidrome/navidrome, which may be a Go module.

Description:
Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/navidrome/navidrome
      vulnerable_at: 0.52.0
      packages:
        - package: navidrome
summary: CVE-2024-32963 in github.com/navidrome/navidrome
cves:
    - CVE-2024-32963
references:
    - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm
source:
    id: CVE-2024-32963
@tatianab tatianab self-assigned this May 2, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/586484 mentions this issue: data/reports: add 73 unreviewed reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot