Argument Injection in FFmpeg codec parameters in Jellyfin
CVE-2023-49096

7.7HIGH

Key Information:

Vendor

Jellyfin

Status
Jellyfin
Vendor
CVE Published:
6 December 2023

What is CVE-2023-49096?

Jellyfin, a popular free software media system, has a vulnerability allowing argument injection in its streaming endpoints. Specifically, the issue resides in the VideosController at the /Videos/<itemId>/stream and /Videos/<itemId>/stream.<container> URLs, which can be accessed without authentication. An unauthenticated attacker might exploit this flaw by guessing a random itemId. Although challenging, they could modify certain parameters such as videoCodec and audioCodec which are insecurely processed. This could permit the insertion of harmful arguments into FFmpeg commands. Consequently, this may lead to unauthorized file manipulation or execution of malicious scripts. The vulnerability has been resolved in version 10.8.13, and users are strongly urged to upgrade, as no effective workaround is available.

Affected Version(s)

jellyfin < 10.8.13

References

https://github.com/jellyfin/jellyfin/security/advisories/...
x_refsource_CONFIRM
https://github.com/jellyfin/jellyfin/issues/5415
x_refsource_MISC
https://github.com/jellyfin/jellyfin/commit/a656799dc879d...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-49096 : Argument Injection in FFmpeg codec parameters in Jellyfin