Server-Side Request Forgery in Jellyfin Affects Data Access
CVE-2023-27161

7.5HIGH

Key Information:

Vendor: Jellyfin
Status: Jellyfin
Vendor: CVE Published:; 10 March 2023

What is CVE-2023-27161?

Jellyfin, a popular media server software, has a vulnerability that allows attackers to execute Server-Side Request Forgery (SSRF) attacks through the /Repositories component. By sending specially crafted POST requests, malicious actors can gain unauthorized access to network resources and potentially sensitive information. Users of Jellyfin versions up to 10.7.7 are strongly advised to assess their systems for this security issue to mitigate risks.

References

http://jellyfin.com

https://github.com/jellyfin/jellyfin

https://notes.sjtu.edu.cn/s/yJ9lPk09a

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2023
Vulnerability Reserved
Feb 27, 2023