{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32963", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.164Z", "datePublished": "2024-05-01T06:39:10.510Z", "dateUpdated": "2024-08-02T02:27:52.376Z"}, "containers": {"cna": {"title": "Parameter Tampering vulnerability in Navidrome", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm"}], "affected": [{"vendor": "navidrome", "product": "navidrome", "versions": [{"version": "< 0.52.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T06:39:10.510Z"}, "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}], "source": {"advisory": "GHSA-4jrx-5w4h-3gpm", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32963", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:00:08.291820Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:navidrome:navidrome:-:*:*:*:*:*:*:*"], "vendor": "navidrome", "product": "navidrome", "versions": [{"status": "affected", "version": "-", "lessThan": "0.52.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:49:41.638Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:52.376Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm", "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:52.376Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32963", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:00:08.291820Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:navidrome:navidrome:-:*:*:*:*:*:*:*"], "vendor": "navidrome", "product": "navidrome", "versions": [{"status": "affected", "version": "-", "lessThan": "0.52.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T15:00:48.490Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Parameter Tampering vulnerability in Navidrome", "source": {"advisory": "GHSA-4jrx-5w4h-3gpm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "navidrome", "product": "navidrome", "versions": [{"status": "affected", "version": "< 0.52.0"}]}], "references": [{"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm", "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T06:39:10.510Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32963", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:27:52.376Z", "dateReserved": "2024-04-22T15:14:59.164Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-01T06:39:10.510Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter tampering vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. The attacker must be able to intercept http traffic for this attack. Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated. This issue has been addressed in version 0.52.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.\n"}, {"lang": "es", "value": "Navidrome es un servidor y transmisor de colecci\u00f3n de m\u00fasica basado en web de c\u00f3digo abierto. En las versiones afectadas de Navidrome est\u00e1n sujetas a una vulnerabilidad de manipulaci\u00f3n de par\u00e1metros donde un atacante tiene la capacidad de manipular los valores de los par\u00e1metros en las solicitudes HTTP. El atacante puede cambiar los valores de los par\u00e1metros en el cuerpo y hacerse pasar por otro usuario. En este caso, el atacante cre\u00f3 una lista de reproducci\u00f3n, agreg\u00f3 una canci\u00f3n, public\u00f3 un comentario arbitrario, configur\u00f3 la lista de reproducci\u00f3n para que fuera p\u00fablica y puso al administrador como propietario de la lista de reproducci\u00f3n. El atacante debe poder interceptar el tr\u00e1fico http para este ataque. Cada usuario conocido se ve afectado. Un atacante puede obtener el ID del propietario a partir de la informaci\u00f3n de la lista de reproducci\u00f3n compartida, lo que significa que todos los usuarios que han compartido una lista de reproducci\u00f3n tambi\u00e9n se ven afectados, ya que pueden ser suplantados. Este problema se solucion\u00f3 en la versi\u00f3n 0.52.0 y se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-32963", "lastModified": "2024-05-01T13:01:51.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-01T07:15:40.217", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-4jrx-5w4h-3gpm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}