CVE-2024-32963
Vulnerability from cvelistv5
Published
2024-05-01 06:39
Modified
2024-08-02 02:27
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttps://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm
af854a3a-2127-422b-91ae-364da2661108https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:navidrome:navidrome:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "navidrome",
            "vendor": "navidrome",
            "versions": [
              {
                "lessThan": "0.52.0",
                "status": "affected",
                "version": "-",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32963",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-01T15:00:08.291820Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:49:41.638Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:27:52.376Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "navidrome",
          "vendor": "navidrome",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.52.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T06:39:10.510Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm"
        }
      ],
      "source": {
        "advisory": "GHSA-4jrx-5w4h-3gpm",
        "discovery": "UNKNOWN"
      },
      "title": "Parameter Tampering vulnerability in Navidrome"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32963",
    "datePublished": "2024-05-01T06:39:10.510Z",
    "dateReserved": "2024-04-22T15:14:59.164Z",
    "dateUpdated": "2024-08-02T02:27:52.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-32963\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-01T07:15:40.217\",\"lastModified\":\"2024-11-21T09:16:07.500\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.\\n\"},{\"lang\":\"es\",\"value\":\"Navidrome es un servidor y transmisor de colecci\u00f3n de m\u00fasica basado en web de c\u00f3digo abierto. En las versiones afectadas de Navidrome est\u00e1n sujetas a una vulnerabilidad de manipulaci\u00f3n de par\u00e1metros donde un atacante tiene la capacidad de manipular los valores de los par\u00e1metros en las solicitudes HTTP. El atacante puede cambiar los valores de los par\u00e1metros en el cuerpo y hacerse pasar por otro usuario. En este caso, el atacante cre\u00f3 una lista de reproducci\u00f3n, agreg\u00f3 una canci\u00f3n, public\u00f3 un comentario arbitrario, configur\u00f3 la lista de reproducci\u00f3n para que fuera p\u00fablica y puso al administrador como propietario de la lista de reproducci\u00f3n. El atacante debe poder interceptar el tr\u00e1fico http para este ataque. Cada usuario conocido se ve afectado. Un atacante puede obtener el ID del propietario a partir de la informaci\u00f3n de la lista de reproducci\u00f3n compartida, lo que significa que todos los usuarios que han compartido una lista de reproducci\u00f3n tambi\u00e9n se ven afectados, ya que pueden ser suplantados. Este problema se solucion\u00f3 en la versi\u00f3n 0.52.0 y se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.