CVE-2023-48702

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.8.13

Description Jellyfin is a system for managing and streaming media. The /System/MediaEncoder/Path endpoint executes an arbitrary file using ProcessStartInfo via the ValidateVersion function. A malicious administrator can setup a network share and supply a UNC path to /System/MediaEncoder/Path which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. Approximately 355,217 devices are potentially affected, mainly distributed in China, the United States, and other countries.

Recommendations For versions prior to 10.8.13, update to version 10.8.13 or later, as the vulnerable endpoint was removed in this version. As a temporary workaround, consider restricting access to the /System/MediaEncoder/Path endpoint until the update is applied. Additionally, avoid using the ValidateVersion function via the ProcessStartInfo until the issue is resolved.