Description
model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/navidrome/navidrome/releases/tag/v0.47.5
Patch, Third Party Advisory x_refsource_misc
https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d
Scores
CVSS v3
6.5
EPSS
0.0029
EPSS Percentile
52.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-89
Status
published
Products (2)
navidrome/navidrome
< 0.47.5
navidrome/navidrome
0 - 0.47.5Go
Published
Jan 24, 2022
Tracked Since
Feb 18, 2026