Plateforme
php
Composant
owntone-server
Corrigé dans
29.1.0
CVE-2026-41457 represents a SQL Injection vulnerability discovered in OwnTone Server. This flaw allows attackers to inject malicious SQL expressions by manipulating the query and filter parameters within DAAP query handling, potentially leading to unauthorized access to sensitive media library data. The vulnerability affects versions 28.4.0 through 29.0 of OwnTone Server. A patch is available in version 29.1.0.
CVE-2026-41457 in OwnTone Server (versions 28.4 through 29.0) poses a significant risk due to a SQL injection vulnerability. This flaw resides in the handling of DAAP queries and filters, allowing attackers to inject malicious SQL code through the query= and filter= parameters for integer-mapped DAAP fields. Insufficient sanitization of these parameters allows attackers to bypass filters and gain unauthorized access to media library data, potentially exposing sensitive information about files and metadata. Successful exploitation could lead to data disclosure, modification, or even server compromise. Applying the update to version 29.1.0 is crucial to mitigate this risk.
The vulnerability is exploited by manipulating the query= and filter= parameters in DAAP requests. An attacker could construct a malicious URL containing SQL code designed to extract information from the database. The vulnerability is exacerbated by the use of integer-mapped DAAP fields, as these are particularly susceptible to SQL injection if not properly validated. The success of exploitation depends on the server configuration and database access permissions. Penetration testing is recommended to identify potential attack vectors and evaluate the effectiveness of implemented security measures.
Statut de l'Exploit
EPSS
0.05% (percentile 15%)
CISA SSVC
The recommended solution to address CVE-2026-41457 is to update OwnTone Server to version 29.1.0 or higher. This version includes the necessary fixes to prevent SQL injection in DAAP query and filter handling. In the interim, as a temporary measure, restrict access to the OwnTone Server to trusted users and networks. Regularly monitor server logs for suspicious activity that may indicate an exploitation attempt. Consistent application of security patches is a fundamental practice for maintaining system security.
Actualice OwnTone Server a la versión 29.1.0 o posterior para mitigar la vulnerabilidad de inyección SQL. Esta actualización corrige la sanitización inadecuada de los parámetros 'query=' y 'filter=' en el manejo de consultas y filtros DAAP, previniendo la inyección de código SQL malicioso.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
DAAP (Digital Audio Access Protocol) is a protocol used to access and control media libraries.
SQL injection is an attack that allows attackers to insert malicious SQL code into a database query, potentially leading to unauthorized data access.
As a temporary measure, restrict access to the server and monitor logs for suspicious activity.
The vulnerability affects versions 28.4 through 29.0. Earlier and later versions are not affected.
The update to version 29.1.0 is available on the official OwnTone website.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.