CVE-2023-48702 – This vulnerability allows a malicious administr... (How to Fix)

Q: What is the severity of CVE-2023-48702?

CVE-2023-48702 has a CVSS score of 7.2 (HIGH). This vulnerability allows a malicious administrator in Jellyfin to execute arbitrary code on the server by exploiting a path traversal issue in the media encoder configuration endpoint. Attackers can supply UNC paths pointing to executables on network shares, causing the server to run them locally. Only Jellyfin instances with untrusted administrators are affected.

📋 TL;DR

This vulnerability allows a malicious administrator in Jellyfin to execute arbitrary code on the server by exploiting a path traversal issue in the media encoder configuration endpoint. Attackers can supply UNC paths pointing to executables on network shares, causing the server to run them locally. Only Jellyfin instances with untrusted administrators are affected.

💻 Affected Systems

Products:

Jellyfin

Versions: All versions prior to 10.8.13

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator access to exploit. The endpoint is accessible to authenticated admin users only.

📦 What is this software?

Jellyfin by Jellyfin

View all CVEs affecting Jellyfin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Malicious administrator gains persistent access to the server, potentially stealing media files or using the server for further attacks.

🟢

If Mitigated

Limited impact if administrators are trusted and network shares are restricted, though the vulnerability still exists.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once access is obtained. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.8.13

Vendor Advisory: https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr

Restart Required: Yes

Instructions:

1. Backup your Jellyfin configuration and database. 2. Stop the Jellyfin service. 3. Update to version 10.8.13 or later using your package manager or manual installation. 4. Restart the Jellyfin service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit administrator accounts to trusted personnel only and implement strong authentication controls.

Network Segmentation

all

Block outbound SMB/UNC connections from the Jellyfin server to prevent access to malicious network shares.

🧯 If You Can't Patch

Implement strict access controls to ensure only trusted users have admin privileges.
Monitor and audit administrator activities, particularly changes to media encoder paths.

🔍 How to Verify

Check if Vulnerable:

Check if Jellyfin version is below 10.8.13. The vulnerable endpoint /System/MediaEncoder/Path exists in vulnerable versions.

Check Version:

On Linux: systemctl status jellyfin | grep version or check web interface. On Windows: Check Services panel or web interface.

Verify Fix Applied:

Confirm Jellyfin version is 10.8.13 or higher. The /System/MediaEncoder/Path endpoint should no longer be present.

📡 Detection & Monitoring

Log Indicators:

Unusual administrator activity, particularly POST requests to /System/MediaEncoder/Path with UNC paths

Network Indicators:

Outbound SMB connections from Jellyfin server to unfamiliar IP addresses

SIEM Query:

source="jellyfin.log" AND (uri_path="/System/MediaEncoder/Path" OR message="UNC" OR message="\\\")

📊 Metadata

CVE ID: CVE-2023-48702

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: December 13, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86 Patch
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr Exploit,Vendor Advisory
https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/ Exploit,Third Party Advisory
https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86 Patch
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr Exploit,Vendor Advisory
https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48702, you might also want to check these: