GHSA-pmcr-2rhp-36hr

Suggest an improvement
Source
https://github.com/advisories/GHSA-pmcr-2rhp-36hr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-pmcr-2rhp-36hr/GHSA-pmcr-2rhp-36hr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pmcr-2rhp-36hr
Aliases
Published
2022-01-27T16:23:02Z
Modified
2024-08-21T14:56:53.658175Z
Summary
SQL injection in github.com/navidrome/navidrome
Details

model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).

Database specific 
{
    "nvd_published_at": "2022-01-24T02:15:00Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-25T21:03:46Z"
}
References

Affected packages

Go / github.com/navidrome/navidrome

Package

Name
github.com/navidrome/navidrome
View open source insights on deps.dev
Purl
pkg:golang/github.com/navidrome/navidrome

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.47.5