Impact
The API endpoints /Images/Remote?imageUrl=<URL>, /Items/RemoteSearch/Image?ImageUrl=<URL>&ProviderName=TheMovieDB, and /Items/{itemId}/RemoteImages/Download are vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP GET that are visible from the Jellyfin server.
This allows:
Information Disclosure and Exfiltration
This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request.
Unauthenticated Access to Internal Network HTTP Servers
The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the Jellyfin server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network.
Port and IP Scanning and Enumeration
This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.
Patches
Workarounds
- Disable external access to the API endpoints
/Items/*/RemoteImages/Download, /Items/RemoteSearch/Image and /Images/Remote via reverse proxy, or limit to known-friendly IPs.
References
Similar to https://nvd.nist.gov/vuln/detail/CVE-2020-26948 for Emby < 4.5
iwalton3 Analyst
Omega-Void Analyst
Hydragyrum Analyst
Impact
The API endpoints
/Images/Remote?imageUrl=<URL>,/Items/RemoteSearch/Image?ImageUrl=<URL>&ProviderName=TheMovieDB, and/Items/{itemId}/RemoteImages/Downloadare vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTPGETthat are visible from the Jellyfin server.This allows:
Information Disclosure and Exfiltration
This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request.
Unauthenticated Access to Internal Network HTTP Servers
The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the Jellyfin server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network.
Port and IP Scanning and Enumeration
This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.
Patches
Workarounds
/Items/*/RemoteImages/Download,/Items/RemoteSearch/Imageand/Images/Remotevia reverse proxy, or limit to known-friendly IPs.References
Similar to https://nvd.nist.gov/vuln/detail/CVE-2020-26948 for Emby < 4.5