Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4
CVSSv2

CVE-2021-21402

Published: 23/03/2021 Updated: 27/03/2021
CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 357
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Subscribe to Jellyfin

Vulnerability Summary

Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

jellyfin jellyfin

Vendor Advisories

Check Point Security Alerts: Jellyfin Directory Traversal (CVE-2021-21402)
Check Point Reference: CPAI-2021-2092 Date Published: 1 Feb 2024 Severity: Medium ...

Github Repositories

https://github.com/givemefivw/CVE-2021-21402

CVE-2021-21402 Jellyfin任意文件读取 Wker脚本,可批量。

CVE-2021-21402 CVE-2021-21402 Jellyfin任意文件读取 Wker脚本,可批量。 逻辑很简单,就是通过GET访问winini存在与否: #define payload = /Audio/1/hls/%5C%5C%5C%5C%5C%5CWindows%5Cwinini/streammp3/ #define info = CVE-2021-21402 Jellyfin任意文件读取 function main(args){ dirs = StrSplit(ReadFile("script\CVE漏洞\CVE-2021\CVE-202

https://github.com/jiaocoll/jiaocoll-CVE-2021-21402-Jellyfin

CVE-2021-21402-Jellyfin-任意文件读取

CVE-2021-21402-Jellyfin-任意文件读取 此POC仅用于学习交流,由此产生的一切后果本人不承担 python POCpy targetstxt

https://github.com/jiaocoll/CVE-2021-21402-Jellyfin

CVE-2021-21402-Jellyfin-任意文件读取

CVE-2021-21402-Jellyfin-任意文件读取 此POC仅用于学习交流,由此产生的一切后果本人不承担 python POCpy targetstxt

https://github.com/somatrasss/CVE-2021-21402

本项目涉及到的仅为安全研究和授权情况下使用,其使用人员有责任和义务遵守当地法律条规。

#CVE-2021-21402 Jellyfin任意文件读取 漏洞简介 jellyfin是一个自由的软件媒体系统,用于控制和管理媒体和流媒体。它是emby和plex的替代品,它通过多个应用程序从专用服务器向终端用户设备提供媒体。Jellyfin属于Emby 352 NET核心框架,以支持完全的跨平台支持。 Jellyfin1071版本中,攻击者恶意

References

CWE-22https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhxhttps://nvd.nist.govhttps://github.com/givemefivw/CVE-2021-21402https://advisories.checkpoint.com/defense/advisories/public/2024/cpai-2021-2092.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
hardcodedarbitrary codeCVE-2024-2404CVE-2024-21111CVE-2024-28627CVE-2024-4073information disclosureCVE-2024-32780CVE-2024-4040
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook