CVE-2022-23857: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

January 27, 2022

model/criteria/criteria.go in Navidrome is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users’ encrypted passwords).

References

github.com/advisories/GHSA-pmcr-2rhp-36hr
github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d
github.com/navidrome/navidrome/releases/tag/v0.47.5
nvd.nist.gov/vuln/detail/CVE-2022-23857

Detect and mitigate CVE-2022-23857 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →