Navidrome
CVE-2024-41259
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information.
AnalysisAI
Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account information. Affected products include: Navidrome.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 6.9), this vulne
Navidrome is an open source web-based music collection server and streamer. Rated critical severity (CVSS 9.4), this vul
Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 8.6), this vulnera
Navidrome versions prior to 0.60.0 allow authenticated users to trigger denial of service by requesting image resizing w
Navidrome versions before 0.60.0 contain a stored cross-site scripting vulnerability in song comment metadata that allow
Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 4.2), this vulne
Navidrome is an open source web-based music collection server and streamer. Rated medium severity (CVSS 5.5), this vulne
Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 8.9), this vulnera
Navidrome is an open source web-based music collection server and streamer. Rated high severity (CVSS 7.4), this vulnera
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today