CVE-2023-33193

2023-05-3006:16:42

CWE-444

[email protected]

web.nvd.nist.gov

emby server

cve-2023-33193

home media server

user accounts

security vulnerability

patch

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.7%

JSON

Emby Server is a user-installable home media server which stores and organizes a user’s media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn’t tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.

Affected configurations

Vulners

NVD

Node

embysupportsecurityRange<4.7.12

embysupportsecurityRange<4.8.31

CPENameOperatorVersion
emby:emby.releasesemby emby.releaseslt4.7.0.12
emby:emby.releasesemby emby.releaseslt4.8.31

CPE	Name	Operator	Version
emby:emby.releases	emby emby.releases	lt	4.7.0.12
emby:emby.releases	emby emby.releases	lt	4.8.31

CNA Affected

[
  {
    "vendor": "EmbySupport",
    "product": "security",
    "versions": [
      {
        "version": "< 4.7.12",
        "status": "affected"
      },
      {
        "version": " < 4.8.31",
        "status": "affected"
      }
    ]
  }
]