CVE-2024-56362
published 2024-12-23CVE-2024-56362: Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file…
PriorityP426medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.15%
4.6th percentile
Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | navidrome_navidrome | >= 0 < 0.54.1 | 0.54.1 |
| navidrome | navidrome | < 0.54.1 | 0.54.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Navidrome Stores JWT Secret in Plaintext in navidrome.db in github.com/navidrome/navidrome
osv·2025-01-07
CVE-2024-56362 Navidrome Stores JWT Secret in Plaintext in navidrome.db in github.com/navidrome/navidrome
Navidrome Stores JWT Secret in Plaintext in navidrome.db in github.com/navidrome/navidrome
Navidrome Stores JWT Secret in Plaintext in navidrome.db in github.com/navidrome/navidrome
GHSA
Navidrome Stores JWT Secret in Plaintext in navidrome.db
ghsa·2024-12-23
CVE-2024-56362 [HIGH] CWE-312 Navidrome Stores JWT Secret in Plaintext in navidrome.db
Navidrome Stores JWT Secret in Plaintext in navidrome.db
Navidrome stores the JWT secret in plaintext in the `navidrome.db` database file under the `property` table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret.
The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could:
- Forge valid tokens to impersonate users, including administrative accounts.
- Gain unauthorized access to sensitive data or perform privileged actions.
This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured.
OSV
Navidrome Stores JWT Secret in Plaintext in navidrome.db
osv·2024-12-23
CVE-2024-56362 [HIGH] Navidrome Stores JWT Secret in Plaintext in navidrome.db
Navidrome Stores JWT Secret in Plaintext in navidrome.db
Navidrome stores the JWT secret in plaintext in the `navidrome.db` database file under the `property` table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret.
The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could:
- Forge valid tokens to impersonate users, including administrative accounts.
- Gain unauthorized access to sensitive data or perform privileged actions.
This vulnerability has been tested on the latest version of Navidrome and poses a significant risk in environments where the database file is not adequately secured.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-23
Published