CVE-2024-28194

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-28194

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28194.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-28194

Aliases

GHSA-gvcr-g265-j827

Published

2024-03-13T18:18:02.341Z

Modified

2025-12-05T04:16:35.632362Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Authentication Bypass Because of Hardcoded JWT Secret in your_spotify

Details

your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28194.json",
    "cwe_ids": [
        "CWE-798"
    ]
}

References

Affected packages

Git / github.com/yooooomi/your_spotify

Affected ranges

Type: GIT
Repo: https://github.com/yooooomi/your_spotify
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bba31e0debe90ac9fc86dfe45490fa7b1169647d

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.5.0

1.5.1

1.6.0

1.6.1

1.7.0

1.7.1

1.7.2

1.7.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28194.json"