CVE-2021-21402

Опубликовано: 23 мар. 2021

Источник: nvd

CVSS3: 7.7

CVSS3: 6.5

CVSS2: 4

EPSS Критический

Описание

Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

Ссылки

https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7
Patch
Third Party Advisory
https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1
Release Notes
Third Party Advisory
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx
Third Party Advisory
https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7
Patch
Third Party Advisory
https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1
Release Notes
Third Party Advisory
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

Версия до 10.7.1 (исключая)

EPSS

Процентиль: 100%

0.9275

Критический

7.7 High

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

CVE-2021-21402

CVSS3: 7.7

debian

почти 5 лет назад

Jellyfin is a Free Software Media System. In Jellyfin before version 1 ...

EPSS

Процентиль: 100%

0.9275

Критический

7.7 High

CVSS3

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-22