Vulnerability Description
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jellyfin | Jellyfin | < 10.7.3 |
Related Weaknesses (CWE)
References
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96PatchThird Party Advisory
- https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96PatchThird Party Advisory
FAQ
What is CVE-2021-29490?
CVE-2021-29490 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Fo...
How severe is CVE-2021-29490?
CVE-2021-29490 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-29490?
Check the references section above for vendor advisories and patch information. Affected products include: Jellyfin Jellyfin.