model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).
References
Link | Resource |
---|---|
https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d | Patch Third Party Advisory |
https://github.com/navidrome/navidrome/releases/tag/v0.47.5 | Release Notes Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-01-24T01:56:34
Updated: 2022-01-24T01:56:34
Reserved: 2022-01-24T00:00:00
Link: CVE-2022-23857
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-24T02:15:06.877
Modified: 2022-01-27T16:14:04.917
Link: CVE-2022-23857
JSON object: View
Redhat Information
No data.
CWE