Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-32963 #2803

Closed
GoVulnBot opened this issue May 1, 2024 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/navidrome/navidrome: CVE-2024-32963 #2803

GoVulnBot opened this issue May 1, 2024 · 2 comments
Assignees
@tatianab
Labels
triaged

Comments

@GoVulnBot
Copy link

CVE-2024-32963 references github.com/navidrome/navidrome, which may be a Go module.

Description:
Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/navidrome/navidrome
      vulnerable_at: 0.52.0
      packages:
        - package: navidrome
summary: CVE-2024-32963 in github.com/navidrome/navidrome
cves:
    - CVE-2024-32963
references:
    - advisory: https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm
source:
    id: CVE-2024-32963
@tatianab tatianab self-assigned this May 2, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/586484 mentions this issue: data/reports: add 73 unreviewed reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590039 mentions this issue: data/reports: add 51 reports

@GoVulnBot GoVulnBot mentioned this issue Aug 2, 2024
Closed
This was referenced Sep 20, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 23, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot