Impact
With certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk.
Patches
A patch is in maintenance release 10.7.1, available as of 2021-03-21.
Found in
1f3aa3f - Apply review suggestions
470305f - Authenticated arbitrary file overwrite in SubtitleController -> SubtitleManager
239a715 - Fix arbitrary image file reads in ImageByNameController
f61d186 - Fix directory traversal in the HlsSegmentController in a fairly rudimentary but working way.
Workarounds
Users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.
For more information
If you have any questions or comments about this advisory:
JarLob Analyst
Impact
With certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk.
Patches
A patch is in maintenance release 10.7.1, available as of 2021-03-21.
Found in
1f3aa3f - Apply review suggestions
470305f - Authenticated arbitrary file overwrite in SubtitleController -> SubtitleManager
239a715 - Fix arbitrary image file reads in ImageByNameController
f61d186 - Fix directory traversal in the HlsSegmentController in a fairly rudimentary but working way.
Workarounds
Users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.
For more information
If you have any questions or comments about this advisory: