Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-12-13T20:53:28.786Z
Updated: 2024-08-02T21:37:54.384Z
Reserved: 2023-11-17T19:43:37.554Z
Link: CVE-2023-48702
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-12-13T21:15:07.847
Modified: 2024-11-21T08:32:17.407
Link: CVE-2023-48702
Redhat
No data.