Unauthenticated Arbitrary File Access in Jellyfin
CVE-2021-21402

7.7HIGH

Key Information:

Vendor

Jellyfin

Status
Jellyfin
Vendor
CVE Published:
23 March 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 92%

What is CVE-2021-21402?

Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

Affected Version(s)

jellyfin < 10.7.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-21402-Jellyfin
Created by jiaocoll

CVE-2021-21402
Created by somatrasss

CVE-2021-21402
Created by givemefivw

References

https://github.com/jellyfin/jellyfin/security/advisories/...
x_refsource_CONFIRM
https://github.com/jellyfin/jellyfin/commit/0183ef8e89195...
x_refsource_MISC
https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1
x_refsource_MISC

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.