Vulnerability Description
model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Navidrome | Navidrome | < 0.47.5 |
Related Weaknesses (CWE)
References
- https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844PatchThird Party Advisory
- https://github.com/navidrome/navidrome/releases/tag/v0.47.5Release NotesThird Party Advisory
- https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844PatchThird Party Advisory
- https://github.com/navidrome/navidrome/releases/tag/v0.47.5Release NotesThird Party Advisory
FAQ
What is CVE-2022-23857?
CVE-2022-23857 is a vulnerability with a CVSS score of 6.5 (MEDIUM). model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data f...
How severe is CVE-2022-23857?
CVE-2022-23857 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23857?
Check the references section above for vendor advisories and patch information. Affected products include: Navidrome Navidrome.