CVE-2022-23857 — Vulnetix

CVE-2022-23857 PUBLISHED CVSS 6.5 MEDIUM

model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).

EPSS 0.29% · 53.0th percentile

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.29%

53.0th percentile

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a
github.com	navidrome/navidrome	0
navidrome	navidrome	0

Timeline

Jan 24, 2022 CVE Published
Feb 8, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 24, 2022 EPSS Score
Jul 16, 2022 EPSS Score
Sep 7, 2022 EPSS Score
Oct 29, 2022 EPSS Score
Dec 20, 2022 EPSS Score
Feb 11, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 4, 2023 EPSS Score
May 26, 2023 EPSS Score

References

https://github.com/navidrome/navidrome/releases/tag/v0.47.5 url
https://github.com/navidrome/navidrome/commit/9e79b5cbf2a48c1e4344df00fea4ed3844ea965d url
https://nvd.nist.gov/vuln/detail/CVE-2022-23857 advisory
https://github.com/navidrome/navidrome package

Open in Interactive Console →