How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unauthenticated arbitrary file read via ffmpeg argument injection through the StreamOptions query parameter in Jellyfin versions prior to 10.11.7.

Detection can focus on monitoring requests to the vulnerable endpoint /Videos/{itemId}/stream that include suspicious StreamOptions query parameters containing ffmpeg drawtext filters with textfile arguments.

Since the vulnerability is exploited by injecting specific query parameters, network detection can involve inspecting HTTP requests for unusual StreamOptions parameters that include 'drawtext' and 'textfile' filters.

• Use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to the /Videos/ endpoint.
• Example tcpdump command to capture HTTP GET requests to the vulnerable endpoint: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/Videos/'
• Search web server logs for requests to /Videos/{itemId}/stream containing StreamOptions parameters with 'drawtext' and 'textfile' keywords.
• Example grep command on access logs: grep '/Videos/' access.log | grep 'StreamOptions' | grep -i 'drawtext' | grep -i 'textfile'

Additionally, verifying the Jellyfin version to ensure it is 10.11.7 or later can help confirm if the system is patched against this vulnerability.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in Jellyfin versions prior to 10.11.7 and involves an unauthenticated arbitrary file read through ffmpeg argument injection. Specifically, the StreamOptions query parameter parsing mechanism allows any lowercase query parameter to be added to a dictionary without validation. This bypasses the intended RegularExpression attribute on the level controller parameter. The unsanitized value is then directly concatenated into the ffmpeg command line.

An attacker can exploit this by injecting a drawtext filter with a textfile argument, enabling them to read arbitrary server files such as /etc/shadow. The contents of these files can then be exfiltrated as text rendered in the video stream response. The vulnerable endpoint /Videos/{itemId}/stream does not require authentication, although obtaining item GUIDs requires an authenticated user.

This issue was fixed in Jellyfin version 10.11.7.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows an unauthenticated attacker to read arbitrary files on the server running Jellyfin. Sensitive files such as /etc/shadow, which contains password hashes, can be accessed and exfiltrated.

Such unauthorized access can lead to further compromise of the server, including privilege escalation or unauthorized access to user accounts. The high CVSS score of 9.3 reflects the critical nature of this vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Jellyfin to version 10.11.7 or later, where the issue has been fixed.

Since the vulnerability allows unauthenticated arbitrary file read via the StreamOptions query parameter, restricting access to the /Videos/{itemId}/stream endpoint or applying additional authentication controls can reduce risk until the upgrade is applied.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to read arbitrary files on the server, including sensitive files such as /etc/shadow, which could lead to unauthorized access to sensitive personal or system data.

Such unauthorized data exposure could potentially violate data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.

Useful 0 Not Useful 0