CVE-2023-48702

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-48702
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-48702.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-48702
Aliases
  • GHSA-rr9h-w522-cvmr
Published
2023-12-13T21:15:07Z
Modified
2024-09-03T04:42:11.511804Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the /System/MediaEncoder/Path endpoint executes an arbitrary file using ProcessStartInfo via the ValidateVersion function. A malicious administrator can setup a network share and supply a UNC path to /System/MediaEncoder/Path which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.

References

Affected packages

Git / github.com/jellyfin/jellyfin

Affected ranges

Type
GIT
Repo
https://github.com/jellyfin/jellyfin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v10.*

v10.0.0
v10.0.1
v10.0.2
v10.2.0
v10.2.1
v10.2.2
v10.3.0
v10.3.0-rc1
v10.3.0-rc2
v10.3.1
v10.3.2
v10.3.3
v10.3.4
v10.3.5
v10.3.6
v10.3.7
v10.4.0
v10.5.0
v10.6.0
v10.8.0
v10.8.0-alpha1
v10.8.0-alpha2
v10.8.0-alpha3
v10.8.0-alpha4
v10.8.0-alpha5
v10.8.0-beta1
v10.8.0-beta2
v10.8.0-beta3
v10.8.1
v10.8.10
v10.8.11
v10.8.12
v10.8.2
v10.8.3
v10.8.4
v10.8.5
v10.8.6
v10.8.7
v10.8.8
v10.8.9

v3.*

v3.5.2-5