Navidrome Music Server (Unofficial)

355 readers

1 users here now

Navidrome is a free, open source web-based music collection server and streamer. It gives you freedom to listen to your music collection from any browser or mobile device. https://www.navidrome.org/

This is an unofficial community. However, we adhear to the official Code Of Conduct set by the Navidrome project.

founded 2 years ago

MODERATORS

ryan_harg@discuss.tchncs.de

sabreW4K3@lazysoci.al

Release v0.54.5 · navidrome/navidrome · GitHub (github.com)

submitted 3 months ago by sabreW4K3@lazysoci.al to c/navidrome@discuss.tchncs.de

2 comments fedilink hide all child comments

This is an important security fix. Please update ASAP. A proper CVE advisory will be published soon and will be linked here.

top 2 comments

sorted by: hot top controversial new old

[–] Deebster@programming.dev 3 points 3 months ago* (last edited 3 months ago)

This seems quite serious, I'll definitely be reading the CVE once it's published. Luckily, I noticed the github notification of the release after only a couple of hours.

edit: I read the advisory and it wasn't too bad in terms of attacker access:

Impact
An attacker can use any non-existent username to bypass the authentication system and gain access to various read-only data in Navidrome, such as user playlists. However, any attempt to modify data fails due to insufficient permissions, limiting the impact to unauthorized viewing of information.

[–] vext01@lemmy.sdf.org 2 points 3 months ago

I wish the web ui supported jukebox mode