Impact
Frederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several vulnerabilities and can be done by an unprivileged user.
This advisory covers a stored XSS in device.js, which can be used to make arbitrary calls to the REST endpoints with admin privileges.
When combined with the ability to write arbitrary content into a logfile via this endpoint, this results in remote code execution on the Jellyfin instance in the context of the user who's running it.
Details to be provide at a future time.
Patches
10.8.10
Workarounds
N/A
References
A complete write-up is available here: https://gebir.ge/blog/peanut-butter-jellyfin-time/
theGEBIRGE Finder
Impact
Frederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several vulnerabilities and can be done by an unprivileged user.
This advisory covers a stored XSS in device.js, which can be used to make arbitrary calls to the
RESTendpoints with admin privileges.When combined with the ability to write arbitrary content into a logfile via this endpoint, this results in remote code execution on the Jellyfin instance in the context of the user who's running it.
Details to be provide at a future time.
Patches
10.8.10
Workarounds
N/A
References
A complete write-up is available here: https://gebir.ge/blog/peanut-butter-jellyfin-time/