GHSA-58vj-cv5w-v4v6: Navidrome has Multiple SQL Injections and ORM Leak
Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like password=...
in the URL (ORM Leak).
Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections.
Finally, the username is used in a LIKE
statement, allowing people to log in with %
instead of their username.
References
Detect and mitigate GHSA-58vj-cv5w-v4v6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →