Unrated severityNVD Advisory· Published Dec 13, 2023· Updated Aug 2, 2024

Jellyfin Possible Remote Code Execution via custom FFmpeg binary

CVE-2023-48702

Description

Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the /System/MediaEncoder/Path endpoint executes an arbitrary file using ProcessStartInfo via the ValidateVersion function. A malicious administrator can setup a network share and supply a UNC path to /System/MediaEncoder/Path which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.

Affected products

Jellyfin/Jellyfinv5
Range: < 10.8.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86mitrex_refsource_MISC
github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmrmitrex_refsource_MISC
securitylab.github.com/advisories/GHSL-2023-028_jellyfin/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000