CVE-2023-36177

Vulnerability

The vulnerability resides in the JSON-RPC API of Snapcast version 0.27.0. The server does not properly validate or sanitize incoming JSON-RPC requests, allowing a remote attacker to send a specially crafted request that can trigger arbitrary code execution or disclose sensitive information. No authentication or special privileges are required to reach the vulnerable code path.

Exploitation

An attacker can exploit this vulnerability by sending a malicious JSON-RPC request over the network to the Snapcast server. No prior authentication is needed, and the attacker does not require any special user interaction or access. The crafted request manipulates the RPC handler to execute unintended commands or leak internal data.

Impact

Successful exploitation allows the attacker to execute arbitrary code on the Snapcast server, potentially gaining full control of the affected system. Additionally, sensitive information can be extracted from the server, compromising confidentiality and integrity. The attacker achieves remote code execution without authentication, leading to a complete system compromise.

Mitigation

As of the publication date of this CVE entry (2024-01-23), no official patch or fixed version has been released by the vendor. The reference URL [1] points to a generic default server page and does not contain any security advisory. Users are advised to restrict network access to the Snapcast JSON-RPC API (e.g., via firewall rules) and monitor for any vendor updates or workarounds. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.