CVE-2023-51442: 
NixOS vulnerability analysis and mitigation

Navidrome, an open source web-based music collection server and streamer, was found to contain a security vulnerability in its subsonic endpoint that allows for authentication bypass. The vulnerability (CVE-2023-51442) enables unauthorized access to any known account by utilizing a JSON Web Token (JWT) signed with the key "not so secret". This vulnerability affects instances that have never been restarted and was patched in version 0.50.2 (GitHub Advisory).

The vulnerability stems from a bug in the startup sequence where the authentication module initializes before the module responsible for generating and persisting the random key. This causes the authentication module to fall back to using a hardcoded value "not so secret" until the instance is restarted. The flaw allows attackers to create a JWT with the sub claim set to any existing user on the server, signed with the hardcoded key, which can then be used to authenticate against the subsonic endpoint. The vulnerability has a CVSS v3.1 base score of 8.6 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H (GitHub Advisory).

The vulnerability potentially affects all instances that don't protect the subsonic endpoint '/rest/', which includes most standard deployments and reverse proxy setups. For each known user, an attacker could manipulate playlists, bookmarks, media annotations, shares, and radios. Additionally, attackers can access user email addresses and utilize media retrieval operations, potentially affecting system availability (GitHub Advisory).

The vulnerability has been patched in version 0.50.2. Users are advised to upgrade to this version or later. Additionally, restarting the Navidrome instance will prevent the exploitation of this vulnerability as it causes the system to generate and use a random key instead of the hardcoded value (GitHub Advisory, GitHub Patch).