CVE-2023-48702
HIGHjellyfin < 10.8.13 - Authenticated Remote Code Execution via MediaEncoder Path Endpoint
Title source: llmDescription
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/
Exploit, Vendor Advisory x_refsource_misc
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr
Scores
CVSS v3
7.2
EPSS
0.0120
EPSS Percentile
64.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (1)
jellyfin/jellyfin
< 10.8.13
Published
Dec 13, 2023
Tracked Since
Feb 18, 2026