CVE-2023-49096

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.8.13

Description The issue concerns an argument injection in the VideosController, specifically the "/Videos//stream" and "/Videos//stream." endpoints, which are reachable by an unauthenticated user. Additional endpoints in the AudioController might also be vulnerable. To exploit this, an attacker must guess a random GUID, itemId, making direct exploitation unlikely without an additional information leak. The videoCodec and audioCodec query parameters are vulnerable to argument injection, allowing an attacker to inject arguments into the FFmpeg command line. This could potentially enable overwriting an arbitrary file with malicious content.

Recommendations For versions prior to 10.8.13, upgrade to version 10.8.13 or later to address the vulnerability. As a temporary workaround, consider restricting access to the /Videos/<itemId>/stream and /Videos/<itemId>/stream.<container> endpoints until the upgrade is possible. Additionally, limiting the use of query parameters such as videoCodec and audioCodec can help minimize the risk of exploitation.