Executive Summary

This vulnerability exists in Jellyfin versions from 10.9.0 up to 10.11.10. The POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them without sanitization as part of the filename when saving client-uploaded log documents on disk.

Because the Client field can include '../' sequences, an authenticated non-admin user can exploit this to cause Jellyfin to write attacker-controlled content to arbitrary file paths accessible by the Jellyfin service user, with a forced .log file extension.

This means an attacker can perform directory traversal to write files outside the intended directory, potentially overwriting or creating files in sensitive locations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated non-admin user to write arbitrary files to locations on the server where Jellyfin runs.

Potential impacts include unauthorized modification or creation of files, which can lead to data corruption, service disruption, or even remote code execution if the attacker writes malicious scripts or configuration files.

The CVSS score of 8.8 indicates a high severity with high impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in Jellyfin version 10.11.10. The immediate step to mitigate this vulnerability is to upgrade your Jellyfin installation to version 10.11.10 or later.

Until the upgrade can be performed, restrict authenticated non-admin users from accessing the POST /ClientLog/Document endpoint to prevent exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the POST /ClientLog/Document endpoint accepting unsanitized Client and Version fields in the Authorization header, which can be exploited by including directory traversal sequences (../) in the Client field.

To detect attempts to exploit this vulnerability on your network or system, you can monitor HTTP POST requests to the /ClientLog/Document endpoint and inspect the Authorization header for suspicious patterns such as '../' sequences in the Client field.

Example commands to detect such attempts include:

• Using tcpdump to capture relevant HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'POST /ClientLog/Document'
• Using grep or similar tools on Jellyfin access logs to find suspicious Authorization headers: grep -i 'POST /ClientLog/Document' /path/to/jellyfin/logs/access.log | grep '\.\./'
• Using a web application firewall (WAF) or intrusion detection system (IDS) to alert on directory traversal patterns in HTTP headers.

Note that no specific detection commands or tools are provided in the available resources, so these suggestions are based on the nature of the vulnerability.

Useful 0 Not Useful 0