Vulnerability Description
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jellyfin | Jellyfin | < 10.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3aPatchThird Party Advisory
- https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1Release NotesThird Party Advisory
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhxThird Party Advisory
- https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3aPatchThird Party Advisory
- https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1Release NotesThird Party Advisory
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhxThird Party Advisory
FAQ
What is CVE-2021-21402?
CVE-2021-21402 is a vulnerability with a CVSS score of 7.7 (HIGH). Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This iss...
How severe is CVE-2021-21402?
CVE-2021-21402 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21402?
Check the references section above for vendor advisories and patch information. Affected products include: Jellyfin Jellyfin.