Jellyfin Possible Remote Code Execution via custom FFmpeg binary
CVE-2023-48702
7.2HIGH
What is CVE-2023-48702?
Jellyfin is a media management and streaming server that was vulnerable to arbitrary file execution through the /System/MediaEncoder/Path
endpoint in versions before 10.8.13. By exploiting this flaw, a malicious admin could manipulate a network share to provide a UNC path pointing to a malicious executable, leading to the execution of arbitrary code in the local server context. This vulnerability could potentially compromise the server's security, allowing unauthorized actions to be performed. The vulnerable endpoint has been removed in the latest version to mitigate this issue.
Affected Version(s)
jellyfin < 10.8.13