SCA: security update for github.com/navidrome/navidrome (GHSA-58vj-cv5w-v4v6)

critical Tenable Self-Hosted Container Security Plugin ID 410701

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds
parameters in the URL to SQL queries. This can be exploited to access information by adding parameters
like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly
escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people
to log in with `%` instead of their username. When adding parameters to the URL, they are automatically
included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to
potentially retrieve arbitrary information. For example, attackers can use the following request to test
whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE
'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are
automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior
can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak
information and dump the contents of the database and have been addressed in release version 0.53.0. Users
are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2024-47062)

See Also

https://github.com/advisories/GHSA-58vj-cv5w-v4v6

Plugin Details

Severity: Critical

ID: 410701

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.87

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-47062

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 8.6

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/20/2024

Vulnerability Publication Date: 9/20/2024

Reference Information

CVE: CVE-2024-47062

cwe: CWE-89