Vulnerability-Lookup

CVE-2023-30626 (GCVE-0-2023-30626)

Vulnerability from cvelistv5 – Published: 2023-04-24 20:06 – Updated: 2025-02-12 16:34

Title

Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution

Summary

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/jellyfin/jellyfin/security/adv…	x_refsource_CONFIRM
	https://github.com/jellyfin/jellyfin-web/security…	x_refsource_MISC
	https://github.com/jellyfin/jellyfin/pull/5918	x_refsource_MISC
	https://github.com/jellyfin/jellyfin/commit/82ad2…	x_refsource_MISC
	https://github.com/jellyfin/jellyfin/blob/22d8806…	x_refsource_MISC
	https://github.com/jellyfin/jellyfin/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	jellyfin	jellyfin	Affected: >= 10.8.0, < 10.8.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:28:52.037Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/pull/5918",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jellyfin/jellyfin/pull/5918"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-30626",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-03T21:00:37.114609Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T16:34:36.816Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jellyfin",
          "vendor": "jellyfin",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.8.0, \u003c 10.8.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-24T20:06:39.400Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
        },
        {
          "name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
        },
        {
          "name": "https://github.com/jellyfin/jellyfin/pull/5918",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jellyfin/jellyfin/pull/5918"
        },
        {
          "name": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
        },
        {
          "name": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
        },
        {
          "name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
        }
      ],
      "source": {
        "advisory": "GHSA-9p5f-5x8v-x65m",
        "discovery": "UNKNOWN"
      },
      "title": "Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-30626",
    "datePublished": "2023-04-24T20:06:39.400Z",
    "dateReserved": "2023-04-13T13:25:18.833Z",
    "dateUpdated": "2025-02-12T16:34:36.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"10.8.0\", \"versionEndExcluding\": \"10.8.10\", \"matchCriteriaId\": \"F5C18A18-B001-405D-9787-509225E4E7D2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.\"}]",
      "id": "CVE-2023-30626",
      "lastModified": "2024-11-21T08:00:32.410",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
      "published": "2023-04-24T21:15:09.687",
      "references": "[{\"url\": \"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/pull/5918\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/pull/5918\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-30626\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-04-24T21:15:09.687\",\"lastModified\":\"2024-11-21T08:00:32.410\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.8.0\",\"versionEndExcluding\":\"10.8.10\",\"matchCriteriaId\":\"F5C18A18-B001-405D-9787-509225E4E7D2\"}]}]}],\"references\":[{\"url\":\"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/pull/5918\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/pull/5918\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\", \"name\": \"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\", \"name\": \"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/pull/5918\", \"name\": \"https://github.com/jellyfin/jellyfin/pull/5918\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\", \"name\": \"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\", \"name\": \"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\", \"name\": \"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T14:28:52.037Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-30626\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-03T21:00:37.114609Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T16:34:31.376Z\"}}], \"cna\": {\"title\": \"Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution\", \"source\": {\"advisory\": \"GHSA-9p5f-5x8v-x65m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"jellyfin\", \"product\": \"jellyfin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 10.8.0, \u003c 10.8.10\"}]}], \"references\": [{\"url\": \"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\", \"name\": \"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\", \"name\": \"https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/pull/5918\", \"name\": \"https://github.com/jellyfin/jellyfin/pull/5918\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\", \"name\": \"https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\", \"name\": \"https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\", \"name\": \"https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-04-24T20:06:39.400Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-30626\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T16:34:36.816Z\", \"dateReserved\": \"2023-04-13T13:25:18.833Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-04-24T20:06:39.400Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-9P5F-5X8V-X65M

Vulnerability from github – Published: 2023-04-24 22:39 – Updated: 2023-05-09 16:24

Summary

Directory traversal + file write causing arbitrary code execution

Details

Impact

Frederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several exploits including a stored XSS vulnerability and can be used by an unprivileged user.

The general process is (using the example of setting an intro video as the payload):

Create a session as a low-priviledged user with a crafted authorization header
Upload an executable that contains a malicious plugin inline via /ClientLog/Document
(Admin hovers over our device in dashboard -> XSS payload gets triggered)
XSS Payload tries to set encoder path to our uploaded "log" file via /System/MediaEncoder/Path
The request fails, but in the process our executable actually runs (I guess for verifying if the path points to a valid ffmpeg version)
The executable will create a plugin folder and place the inlined plugin DLL inside it
The XSS payload shuts down the server via /System/Shutdown (separate CVE in jellyfin-web)
After (manually) starting the server, the plugin gets loaded and will:
- write a new video into the Jellyfin temp folder and register it
- register this video as the new intro
- and finally provide a malicious endpoint that simply executes system commands and sends back the results

The ability to write arbitrary content to log files was added in #5918 to allow flexibility to client logging.

The following two sections detail Frederic's exact determinations regarding the two vulnerabilities.

Directory traversal and file write

I've been reading the codebase here and there for a couple of days and found a directory traversal inside the ClientLogController, specifically /ClientLog/Document.

The GetRequestInformation method retrieves the name and version of the client from the HttpContext.User object.

Those values are attacker controlled when authenticating against the API. Both values are interpolated into a string, which ultimately ends up as an argument to Path.Combine().

Setting a client name to the relative path "........\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test" will write a file with completely attacker controlled content to the executing user's autostart directory.

However, because the attacker only partially controls the filename, exploitation proves to be tricky. That's because the resulting file will always end in ".log", which means putting something in the autostart directory is only going to open notepad on startup. I mean, we can at least insult the user :^).

Anyway, the next logical step would be to write into Jellyfin's plugins directory, but the sub-directories there (of which the already existing configurations directory conveniently counts as one!) are only getting scanned for ".dll" files.

This stops an attacker from providing malicious DLLs that implement the correct interfaces in order to be recognized as legitimate plugins.

On Linux, there might be more options. Running as the standard root user inside a container, an attacker could of course write anywhere. There's the very interesting "/etc/cron.d" directory, where an attacker can place cron jobs that get picked up automatically. Those files, however, can't contain a dot. Moreover, inside the container the cronjobs are probably not being executed, as the Jellyfin process should be only one running.

For the stored XSS component, see https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq

Patches

10.8.10

Workarounds

N/A

References

A complete write-up is available here: https://gebir.ge/blog/peanut-butter-jellyfin-time/

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Jellyfin.Controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.8.0"
            },
            {
              "fixed": "10.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-24T22:39:03Z",
    "nvd_published_at": "2023-04-24T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nFrederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several exploits including a stored XSS vulnerability and can be used by an unprivileged user.\n\nThe general process is (using the example of setting an intro video as the payload):\n\n* Create a session as a low-priviledged user with a crafted authorization header\n* Upload an executable that contains a malicious plugin inline via /ClientLog/Document\n* (Admin hovers over our device in dashboard -\u003e XSS payload gets triggered)\n* XSS Payload tries to set encoder path to our uploaded \"log\" file via /System/MediaEncoder/Path\n* The request fails, but in the process our executable actually runs (I guess for verifying if the path points to a valid ffmpeg version)\n* The executable will create a plugin folder and place the inlined plugin DLL inside it\n* The XSS payload shuts down the server via /System/Shutdown (separate CVE in `jellyfin-web`)\n* After (manually) starting the server, the plugin gets loaded and will:\n    * write a new video into the Jellyfin temp folder and register it\n    * register this video as the new intro\n    * and finally provide a malicious endpoint that simply executes system commands and sends back the results\n\nThe ability to write arbitrary content to log files was added in #5918 to allow flexibility to client logging.\n\nThe following two sections detail Frederic\u0027s exact determinations regarding the two vulnerabilities.\n\n#### Directory traversal and file write\n\nI\u0027ve been reading the codebase here and there for a couple of days and found a directory traversal inside the ClientLogController, specifically /ClientLog/Document.\n\nThe GetRequestInformation method retrieves the name and version of the client from the HttpContext.User object.\n\nThose values are attacker controlled when authenticating against the API. Both values are interpolated into a string, which ultimately ends up as an argument to Path.Combine().\n\nSetting a client name to the relative path \"\\..\\..\\..\\..\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\test\" will write a file with completely attacker controlled content to the executing user\u0027s autostart directory.\n\nHowever, because the attacker only partially controls the filename, exploitation proves to be tricky. That\u0027s because the resulting file will always end in \".log\", which means putting something in the autostart directory is only going to open notepad on startup. I mean, we can at least insult the user :^).\n\nAnyway, the next logical step would be to write into Jellyfin\u0027s plugins directory, but the sub-directories there (of which the already existing configurations directory conveniently counts as one!) are only getting scanned for \".dll\" files.\n\nThis stops an attacker from providing malicious DLLs that implement the correct interfaces in order to be recognized as legitimate plugins.\n\nOn Linux, there might be more options. Running as the standard root user inside a container, an attacker could of course write anywhere. There\u0027s the very interesting \"/etc/cron.d\" directory, where an attacker can place cron jobs that get picked up automatically. Those files, however, can\u0027t contain a dot. Moreover, inside the container the cronjobs are probably not being executed, as the Jellyfin process should be only one running.\n\nFor the stored XSS component, see https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq\n\n### Patches\n10.8.10\n\n### Workarounds\nN/A\n\n### References\n\nA complete write-up is available here: https://gebir.ge/blog/peanut-butter-jellyfin-time/",
  "id": "GHSA-9p5f-5x8v-x65m",
  "modified": "2023-05-09T16:24:16Z",
  "published": "2023-04-24T22:39:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30626"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jellyfin/jellyfin/pull/5918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jellyfin/jellyfin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directory traversal + file write causing arbitrary code execution"
}

FKIE_CVE-2023-30626

Vulnerability from fkie_nvd - Published: 2023-04-24 21:15 - Updated: 2024-11-21 08:00

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq	Vendor Advisory
security-advisories@github.com	https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44	Exploit, Vendor Advisory
security-advisories@github.com	https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7	Patch
security-advisories@github.com	https://github.com/jellyfin/jellyfin/pull/5918	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10	Release Notes
security-advisories@github.com	https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jellyfin/jellyfin/pull/5918	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m	Exploit, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	jellyfin	jellyfin	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5C18A18-B001-405D-9787-509225E4E7D2",
              "versionEndExcluding": "10.8.10",
              "versionStartIncluding": "10.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds."
    }
  ],
  "id": "CVE-2023-30626",
  "lastModified": "2024-11-21T08:00:32.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-04-24T21:15:09.687",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin/pull/5918"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin/pull/5918"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2023-30626

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-30626

Aliases

CVE-2023-30626

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-30626",
    "id": "GSD-2023-30626"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-30626"
      ],
      "details": "Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.",
      "id": "GSD-2023-30626",
      "modified": "2023-12-13T01:20:52.560714Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-30626",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "jellyfin",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 10.8.0, \u003c 10.8.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "jellyfin"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-22",
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
            "refsource": "MISC",
            "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
            "refsource": "MISC",
            "url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/pull/5918",
            "refsource": "MISC",
            "url": "https://github.com/jellyfin/jellyfin/pull/5918"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7",
            "refsource": "MISC",
            "url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44",
            "refsource": "MISC",
            "url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
          },
          {
            "name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10",
            "refsource": "MISC",
            "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-9p5f-5x8v-x65m",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[10.8.0,10.8.10)",
          "affected_versions": "All versions starting from 10.8.0 before 10.8.10",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-04-24",
          "description": "Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.",
          "fixed_versions": [
            "10.8.10"
          ],
          "identifier": "CVE-2023-30626",
          "identifiers": [
            "GHSA-9p5f-5x8v-x65m",
            "CVE-2023-30626"
          ],
          "not_impacted": "All versions before 10.8.0, all versions starting from 10.8.10",
          "package_slug": "nuget/Jellyfin.Controller",
          "pubdate": "2023-04-24",
          "solution": "Upgrade to version 10.8.10 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
            "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-30626",
            "https://github.com/jellyfin/jellyfin/pull/5918",
            "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7",
            "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44",
            "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10",
            "https://github.com/advisories/GHSA-9p5f-5x8v-x65m"
          ],
          "uuid": "903d48b4-62b2-4d91-8782-4050b80283d2"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "10.8.10",
                "versionStartIncluding": "10.8.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-30626"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
            },
            {
              "name": "https://github.com/jellyfin/jellyfin/pull/5918",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/jellyfin/jellyfin/pull/5918"
            },
            {
              "name": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
            },
            {
              "name": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
            },
            {
              "name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
            },
            {
              "name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-05-04T14:09Z",
      "publishedDate": "2023-04-24T21:15Z"
    }
  }
}

CNVD-2023-32759

Vulnerability from cnvd - Published: 2023-04-28

Title

Jellyfin路径遍历漏洞

Description

Jellyfin是一个免费软件媒体系统。可让您控制媒体的管理和流式传输。它是专有Emby和Plex的替代产品，可以通过多个应用程序将专用服务器中的媒体提供给最终用户设备。 Jellyfin 10.8.0至10.8.10之前版本存在路径遍历漏洞，该漏洞源于ClientLogController中在处理目录请求时的路径缺乏有效性检查，攻击者可利用该漏洞读取任意文件。

Severity

高

Patch Name

Jellyfin路径遍历漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-30626

Impacted products

Name
Jellyfin Jellyfin >=10.8.0，<10.8.10

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-30626",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-30626"
    }
  },
  "description": "Jellyfin\u662f\u4e00\u4e2a\u514d\u8d39\u8f6f\u4ef6\u5a92\u4f53\u7cfb\u7edf\u3002\u53ef\u8ba9\u60a8\u63a7\u5236\u5a92\u4f53\u7684\u7ba1\u7406\u548c\u6d41\u5f0f\u4f20\u8f93\u3002\u5b83\u662f\u4e13\u6709Emby\u548cPlex\u7684\u66ff\u4ee3\u4ea7\u54c1\uff0c\u53ef\u4ee5\u901a\u8fc7\u591a\u4e2a\u5e94\u7528\u7a0b\u5e8f\u5c06\u4e13\u7528\u670d\u52a1\u5668\u4e2d\u7684\u5a92\u4f53\u63d0\u4f9b\u7ed9\u6700\u7ec8\u7528\u6237\u8bbe\u5907\u3002\n\nJellyfin 10.8.0\u81f310.8.10\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eClientLogController\u4e2d\u5728\u5904\u7406\u76ee\u5f55\u8bf7\u6c42\u65f6\u7684\u8def\u5f84\u7f3a\u4e4f\u6709\u6548\u6027\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-32759",
  "openTime": "2023-04-28",
  "patchDescription": "Jellyfin\u662f\u4e00\u4e2a\u514d\u8d39\u8f6f\u4ef6\u5a92\u4f53\u7cfb\u7edf\u3002\u53ef\u8ba9\u60a8\u63a7\u5236\u5a92\u4f53\u7684\u7ba1\u7406\u548c\u6d41\u5f0f\u4f20\u8f93\u3002\u5b83\u662f\u4e13\u6709Emby\u548cPlex\u7684\u66ff\u4ee3\u4ea7\u54c1\uff0c\u53ef\u4ee5\u901a\u8fc7\u591a\u4e2a\u5e94\u7528\u7a0b\u5e8f\u5c06\u4e13\u7528\u670d\u52a1\u5668\u4e2d\u7684\u5a92\u4f53\u63d0\u4f9b\u7ed9\u6700\u7ec8\u7528\u6237\u8bbe\u5907\u3002\r\n\r\nJellyfin 10.8.0\u81f310.8.10\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eClientLogController\u4e2d\u5728\u5904\u7406\u76ee\u5f55\u8bf7\u6c42\u65f6\u7684\u8def\u5f84\u7f3a\u4e4f\u6709\u6548\u6027\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Jellyfin\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Jellyfin Jellyfin \u003e=10.8.0\uff0c\u003c10.8.10"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-30626",
  "serverity": "\u9ad8",
  "submitTime": "2023-04-27",
  "title": "Jellyfin\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-30626 (GCVE-0-2023-30626)

GHSA-9P5F-5X8V-X65M

Impact

Directory traversal and file write

Patches

Workarounds

References

FKIE_CVE-2023-30626

GSD-2023-30626

CNVD-2023-32759

Tags

Sightings

Nomenclature