SCA: security update for github.com/navidrome/navidrome (GHSA-wq59-4q6r-635r)

high Tenable Self-Hosted Container Security Plugin ID 420060

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Navidrome is an open source web-based music collection server and streamer. A security vulnerability has
been identified in navidrome's subsonic endpoint, allowing for authentication bypass. This exploit enables
unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so
secret". The vulnerability can only be exploited on instances that have never been restarted. Navidrome
supports an extension to the subsonic authentication scheme, where a JWT can be provided using a `jwt`
query parameter instead of the traditional password or token and salt (corresponding to resp. the `p` or
`t` and `s` query parameters). This authentication bypass vulnerability potentially affects all instances
that don't protect the subsonic endpoint `/rest/`, which is expected to be most instances in a standard
deployment, and most instances in the reverse proxy setup too (as the documentation mentions to leave that
endpoint unprotected). This issue has been patched in version 0.50.2. (CVE-2023-51442)

See Also

https://github.com/advisories/GHSA-wq59-4q6r-635r

Plugin Details

Severity: High

ID: 420060

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2023-51442

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/19/2023

Vulnerability Publication Date: 12/19/2023

Reference Information

CVE: CVE-2023-51442

cwe: CWE-287