Argument Injection in FFmpeg codec parameters in Jellyfin
CVE-2023-49096
What is CVE-2023-49096?
Jellyfin, a popular free software media system, has a vulnerability allowing argument injection in its streaming endpoints. Specifically, the issue resides in the VideosController at the /Videos/<itemId>/stream
and /Videos/<itemId>/stream.<container>
URLs, which can be accessed without authentication. An unauthenticated attacker might exploit this flaw by guessing a random itemId. Although challenging, they could modify certain parameters such as videoCodec and audioCodec which are insecurely processed. This could permit the insertion of harmful arguments into FFmpeg commands. Consequently, this may lead to unauthorized file manipulation or execution of malicious scripts. The vulnerability has been resolved in version 10.8.13, and users are strongly urged to upgrade, as no effective workaround is available.
Affected Version(s)
jellyfin < 10.8.13