Skip to content

Jellyfin remote code execution

Critical
PrivatePuffin published GHSA-vxrj-5v2f-64q7 Apr 24, 2023

Package

jellyfin (Helm/TrueCharts)

Affected versions

<14.0.8

Patched versions

14.0.9
npm jellyfin-web (npm)
> 10.1.0
10.8.10

Description

Summary

GHSA-9p5f-5x8v-x65m and GHSA-89hp-h43h-r5pq can be combined to allow remote code execution for any authenticated Jellyfin user including non-admin users. While the particular execution mechanism of the former dates to the 10.8.0 release, the latter was present for all Jellyfin releases before this point. It is thus absolutely critical for all Jellyfin administrators, regardless of version, to upgrade to this version if they allow any untrusted users and/or expose their instance to the Internet.

Details

https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10

Impact

Anyone with a public facing Jellyfin instance.

Severity

Critical

CVE ID

No known CVE

Weaknesses

No CWEs

Credits