This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Path Traversal in Jellyfin < 10.7.1 allows reading arbitrary files from the server's filesystem. π₯ **Consequences**: Sensitive data exposure, potential system compromise, especially on Windows hosts.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: CWE-22 (Path Traversal). The application fails to properly sanitize user input in URLs, allowing `../` sequences to escape the intended directory.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: Jellyfin versions **before 10.7.1**. Components: Media server core handling audio/streaming requests.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Capabilities**: Read arbitrary files (e.g., config files, source code, credentials). No privilege escalation needed, just file access.
Q5Is exploitation threshold high? (Auth/Config)
π **Exploitation Threshold**: **Low**. Requires **Local Privileges** (PR:L) but **Low Complexity** (AC:L) and **No User Interaction** (UI:N). Network accessible (AV:N).
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exp?**: **YES**. Multiple PoCs available on GitHub (Python, Wker scripts, Nuclei templates). Easy to automate for batch scanning.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Send crafted GET requests with `..%5C` (URL-encoded backslash) to audio/stream endpoints. Check for `200 OK` and file content (e.g., `win.ini` on Windows).
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed?**: **YES**. Officially patched in **Jellyfin 10.7.1**. Upgrade immediately via official downloads.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: Implement strict filesystem permissions on the server. Restrict access to sensitive directories. Not a full fix, but reduces risk.
Q10Is it urgent? (Priority Suggestion)
β‘ **Urgency**: **HIGH**. CVSS Score: **7.5** (High). Public exploits exist. If exposed to the internet, immediate patching is critical.