nyxfqq/gist:d192af10b53a363e2d9e430068333e04

## gistfile1.txt
 [Suggested description]
 Navidrome v0.52.3 was discovered to use an insecure hashing algorithm
 to generate URLs.

the official Gravatar documentation now advocates using SHA-256 to generate URLs,
as demonstrated in their API example (https://docs.gravatar.com/api/avatars/go/).

An MD5-based URL could potentially lead to situations where an attacker change
another user's info under a controlled email address, introducing security
vulnerabilities due to the known weaknesses of the MD5 algorithm. Although
this concern primarily pertains to Gravatar's service, adhering to best
practices by upgrading to a more secure hashing algorithm such as
SHA-256 would significantly mitigate these risks.

 ------------------------------------------

 [VulnerabilityType Other]
 CWE305 CWE306

 ------------------------------------------

 [Vendor of Product]
 https://github.com/navidrome/navidrome

 ------------------------------------------

 [Affected Product Code Base]
 navidrome - <=0.52.3

 ------------------------------------------

 [Affected Component]
 gravatar

 ------------------------------------------

 [Attack Type]
 Physical

 ------------------------------------------
 [Impact Denial of Service]
 true

 ------------------------------------------

 [Attack Vectors]
 Use the MD5 algorithm in the code to summarize the email address and calculate the URL of the avatar

 ------------------------------------------

 [Discoverer]
 Yuexi Zhang

 ------------------------------------------

 [Reference]
 http://navidrome.com
 https://docs.gravatar.com/api/avatars/go/
 https://github.com/navidrome/navidrome
	[Suggested description]
	Navidrome v0.52.3 was discovered to use an insecure hashing algorithm
	to generate URLs.

	the official Gravatar documentation now advocates using SHA-256 to generate URLs,
	as demonstrated in their API example (https://docs.gravatar.com/api/avatars/go/).

	An MD5-based URL could potentially lead to situations where an attacker change
	another user's info under a controlled email address, introducing security
	vulnerabilities due to the known weaknesses of the MD5 algorithm. Although
	this concern primarily pertains to Gravatar's service, adhering to best
	practices by upgrading to a more secure hashing algorithm such as
	SHA-256 would significantly mitigate these risks.

	------------------------------------------

	[VulnerabilityType Other]
	CWE305 CWE306

	------------------------------------------

	[Vendor of Product]
	https://github.com/navidrome/navidrome

	------------------------------------------

	[Affected Product Code Base]
	navidrome - <=0.52.3

	------------------------------------------

	[Affected Component]
	gravatar

	------------------------------------------

	[Attack Type]
	Physical

	------------------------------------------
	[Impact Denial of Service]
	true

	------------------------------------------

	[Attack Vectors]
	Use the MD5 algorithm in the code to summarize the email address and calculate the URL of the avatar

	------------------------------------------

	[Discoverer]
	Yuexi Zhang

	------------------------------------------

	[Reference]
	http://navidrome.com
	https://docs.gravatar.com/api/avatars/go/
	https://github.com/navidrome/navidrome