Music Assistant
Vulnerability: Auth results not logged #4907
andreasbrett
started this conversation in
Feature requests and ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Music Assistant currently doesn't log authentication success or failure events, which creates a weakness / vulnerability. As outlined in CWE-778, this lack of logging can leave the app vulnerable to attacks like brute force or unauthorized access.
Could you please add logs for both successful and failed login attempts? This would improve security and allow for better monitoring using tools like CrowdSec or Fail2Ban. I plan on creating a Crowdsec parser and scenarios for Music Assistant and this would lay the foundation.
For details on implementation requirements consider also consulting OWASP Top 10 A09.
Without digging too much into MA code I think this should be introduced in https://github.com/music-assistant/server/blob/5e3f804cf1bc53e8d2dbc2a93ab990736660cbb1/music_assistant/controllers/webserver/controller.py#L720.
Downstream security tools like Crowdsec require that the log line contains:
Beta Was this translation helpful? Give feedback.
All reactions