VYPR
Unrated severityNVD Advisory· Published Dec 13, 2023· Updated Aug 2, 2024

Jellyfin Possible Remote Code Execution via custom FFmpeg binary

CVE-2023-48702

Description

Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the /System/MediaEncoder/Path endpoint executes an arbitrary file using ProcessStartInfo via the ValidateVersion function. A malicious administrator can setup a network share and supply a UNC path to /System/MediaEncoder/Path which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Jellyfin/Jellyfinllm-fuzzy2 versions
    <10.8.13+ 1 more
    • (no CPE)range: <10.8.13
    • (no CPE)range: < 10.8.13

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.