CVE-2024-47062: 
NixOS vulnerability analysis and mitigation

Navidrome, an open-source web-based music collection server and streamer, was found to contain multiple critical security vulnerabilities tracked as CVE-2024-47062. The vulnerability was discovered by Louis Nyffenegger from PentesterLab and affects versions up to and including v0.52.5. The issue was disclosed on September 20, 2024, and received a Critical CVSS score of 9.4 (GitHub Advisory).

The vulnerability comprises multiple security issues: an ORM Leak where URL parameters are automatically added to SQL queries without proper validation, SQL injection vulnerabilities due to improperly escaped parameter names, and an authentication weakness in the LIKE statement implementation. The SQL injection allows attackers to inject arbitrary SQL code through URL parameters, while the ORM Leak enables attackers to perform password brute-force attacks by testing password patterns using LIKE statements. The authentication bypass flaw allows users to log in using wildcard characters such as '%' instead of legitimate usernames (Security Online, GitHub Advisory).

If successfully exploited, these vulnerabilities could allow attackers to leak sensitive information, dump the contents of the database, and gain unauthorized access to user accounts. The high CVSS score of 9.4 indicates critical severity with potential for significant data exposure and system compromise (Security Online).

The vulnerabilities have been addressed in Navidrome version 0.53.0. Users of affected versions are strongly advised to upgrade to this patched version immediately. No alternative workarounds are available for these vulnerabilities (ASEC, GitHub Advisory).