Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Music Assistant Server Path Traversal in Playlist Update API Allows Remote Code Execution
Vulnerability Description
Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass the .m3u extension enforcement and write files anywhere on the filesystem, which is exacerbated by the container running as root. This can be exploited to achieve Remote Code Execution by writing a malicious .pth file to the Python site-packages directory, which will execute arbitrary commands when Python loads. This issue has been fixed in version 2.7.0.
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
文件名或路径的外部可控制
Vulnerability Title
Music Assistant 代码问题漏洞
Vulnerability Description
Music Assistant是Music Assistant开源的一个媒体库管理器。 Music Assistant 2.6.3及之前版本存在代码问题漏洞,该漏洞源于music/playlists/update API允许绕过.m3u扩展名限制并任意写入文件,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A