Home > Vulnerability Database > CVE-2023-48702

Mend.io Vulnerability Database

CVE-2023-48702

Date: December 13, 2023

Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the "/System/MediaEncoder/Path" endpoint executes an arbitrary file using "ProcessStartInfo" via the "ValidateVersion" function. A malicious administrator can setup a network share and supply a UNC path to "/System/MediaEncoder/Path" which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.

Language: C#

Severity Score

7.2

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-48702

Url: https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/

Url: https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86

Url: https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr

Url: https://www.mend.io/vulnerability-database/CVE-2023-48702

Severity Score

7.2

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-48702

Date: December 13, 2023

Language: C#

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?