CVE-2021-29490

Name of the Vulnerable Software and Affected Versions: Jellyfin versions prior to 10.7.3

Description: The issue allows unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter, potentially exposing internal and external HTTP servers or other resources available via HTTP GET that are visible from the Jellyfin server.

Recommendations: For versions prior to 10.7.3, update to version 10.7.3 to resolve the issue. As a temporary workaround, consider disabling external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image", and "/Images/Remote" via reverse proxy, or limit access to known-friendly IPs.