Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perform no per-resource authorization. Once authenticated as any user (admin or not), an attacker can delete any playlist owned by any other user (including admin) by passing its `id` and read the full contents (name, comment, song list) of any other user's **private** (non-public) playlist by passing its `id`. The Subsonic playlist `id` is `base64url("<userID>/<filename>.m3u")`. Because filenames are user-supplied or time-derived and the `userID` is a small integer, IDs are guessable and frequently exposed (e.g. a previously-public playlist that was later made private still has the same ID). This breaks the multi-user trust boundary of gonic: a low-privileged user can wipe an administrator's curated playlists, and a user can exfiltrate any private playlist they obtain an ID for. The issue was fixed in commit `6dd71e6a3c966867ef8c900d359a7df75789f410`, which is part of version 0.21.0.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-285 | CWE-285: Improper Authorization |
| CWE | CWE-639 | CWE-639: Authorization Bypass Through User-Controlled Key |
Type: CWE
Description: CWE-285: Improper Authorization
Type: CWE
Description: CWE-639: Authorization Bypass Through User-Controlled Key
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
Version: 3.1
Base score: 7.1
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N