Login Sign Up

CVE-2023-49096

7.7 HIGH
Remote Code Execution

📋 TL;DR

Jellyfin media server has an argument injection vulnerability in video/audio streaming endpoints that allows unauthenticated attackers to inject malicious arguments into FFmpeg commands. This could lead to arbitrary file overwrites or remote code execution. All Jellyfin instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Jellyfin
Versions: All versions before 10.8.13
Operating Systems: All platforms running Jellyfin
Default Config Vulnerable: ⚠️ Yes
Notes: Endpoints are reachable by unauthenticated users, but exploitation requires guessing random GUID itemId

📦 What is this software?

Jellyfin by Jellyfin

View all CVEs affecting Jellyfin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Arbitrary file overwrite allowing privilege escalation, configuration modification, or denial of service

🟢

If Mitigated

Limited impact due to requirement to guess random GUID itemId and lack of information leak

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploitation requires guessing random GUID itemId, making direct exploitation difficult without additional information leak

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.8.13

Vendor Advisory: https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a

Restart Required: Yes

Instructions:

1. Backup your Jellyfin configuration and database. 2. Stop Jellyfin service. 3. Update to version 10.8.13 via package manager or manual installation. 4. Restart Jellyfin service. 5. Verify version is 10.8.13 or higher.

🔧 Temporary Workarounds

No known workarounds

all

The vendor states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

  • Restrict network access to Jellyfin instance using firewall rules
  • Implement reverse proxy with request validation and rate limiting

🔍 How to Verify

Check if Vulnerable:

Check Jellyfin version via web interface Dashboard or systemctl status jellyfin

Check Version:

systemctl status jellyfin | grep version or check web interface Dashboard

Verify Fix Applied:

Confirm version is 10.8.13 or higher and test streaming functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual FFmpeg command arguments
  • Failed authentication attempts with GUID patterns
  • Multiple requests to /Videos/*/stream endpoints

Network Indicators:

  • Unusual parameter values in streaming requests
  • Multiple failed streaming requests from single IP

SIEM Query:

source="jellyfin.log" AND ("videoCodec" OR "audioCodec") AND ("|" OR ";" OR "$" OR "&")

📊 Metadata

CVE ID: CVE-2023-49096
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-88
Published: December 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49096, you might also want to check these:

CVE-2023-6269 10.0

An argument injection vulnerability in Atos Unify OpenScape SBC, Branch, and BCF products allows una...

Same vulnerability type (CWE-88)
CVE-2024-47553 9.9

This vulnerability in Siemens SINEC Security Monitor allows authenticated low-privileged remote atta...

Same vulnerability type (CWE-88)
CVE-2024-39930 9.9

This vulnerability allows authenticated attackers to execute arbitrary code on Gogs servers by explo...

Same vulnerability type (CWE-88)