Unrated severityNVD Advisory· Published Dec 13, 2023· Updated Aug 2, 2024
Jellyfin Possible Remote Code Execution via custom FFmpeg binary
CVE-2023-48702
Description
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the /System/MediaEncoder/Path endpoint executes an arbitrary file using ProcessStartInfo via the ValidateVersion function. A malicious administrator can setup a network share and supply a UNC path to /System/MediaEncoder/Path which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86mitrex_refsource_MISC
- github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmrmitrex_refsource_MISC
- securitylab.github.com/advisories/GHSL-2023-028_jellyfin/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.