CVE-2021-21402

Description

Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

NVD
Severity: MEDIUM
CVE ID: CVE-2021-21402
CVSS Score: 6.5
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

GitHub, Inc.
Severity: HIGH
CVE ID: CVE-2021-21402
CVSS Score: 7.7
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Refrence: NVD MITRE

Proof Of Concept

Nuclei Templates for CVE-2021-21402

Refrence: Project Discovery GitHub

jiaocoll

CVE-2021-21402-Jellyfin-任意文件读取

Refrence: GitHub

somatrasss

本项目涉及到的仅为安全研究和授权情况下使用，其使用人员有责任和义务遵守当地法律条规。

Refrence: GitHub

givemefivw

CVE-2021-21402 Jellyfin任意文件读取 Wker脚本，可批量。

Refrence: GitHub

Description​

Proof Of Concept​

Description

Proof Of Concept