CVE-2023-30626 Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution

2023-04-2420:06:39

CWE-22

GitHub_M

www.cve.org

jellyfin

media system

directory traversal

file write

arbitrary code execution

vulnerability

patch

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

49.9%

JSON

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "jellyfin",
    "product": "jellyfin",
    "versions": [
      {
        "version": ">= 10.8.0, < 10.8.10",
        "status": "affected"
      }
    ]
  }
]