CVE-2024-56362 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-56362

CVE-2024-56362

December 23, 2024

Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1.

Related Resources (7)

https://github.com/navidrome/navidrome/security/advisories/GHSA-xwx7-p63r-2rj8

https://github.com/navidrome/navidrome

https://github.com/navidrome/navidrome/commit/7f030b0859653593fd2ac0df69f4a313f9caf9ff

https://pkg.go.dev/vuln/GO-2024-3357

https://github.com/navidrome/navidrome/commit/9cbdb20a318a49daf95888b1fd207d4d729b55f1

https://nvd.nist.gov/vuln/detail/CVE-2024-56362

https://github.com/navidrome/navidrome/releases/tag/v0.54.1

Do you need more information?

CVSS v4

Base Score:

8.4

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

Cleartext Storage of Sensitive Information

CWE-312

EPSS

Base Score:

0.04

Products

Solutions

Resources

Company

Compare

Developer Tools