#VU75524 Path traversal in Jellyfin - CVE-2023-30626

Cybersecurity Help s.r.o.

Published: 2023-04-26

Vulnerability identifier: #VU75524

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-30626

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jellyfin
Client/Desktop applications / Other client software

Vendor: Jellyfin

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system, leading to arbitrary code execution.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Jellyfin: 10.0.0 - 10.8.9

External links
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m
https://github.com/jellyfin/jellyfin/pull/5918
https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7
https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44
https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10
https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Jellyfin