See this issue on their github repo: here
Basically from what I understand there’s loads of unauthenticated api calls, so someone can very easily exploit that.
Comment on Sharing Jellyfin
skankhunt42@lemmy.ca 11 months ago
Hang on, why not open the port to jellyfin to the internet?
I have a lifetime Plex pass so its not urgent but I have a containers running emby and jellyfin to check them out. When I decide which one I planned to open it up and give people logins.
Selfhoster1728@infosec.pub 11 months ago
exu@feditown.com 11 months ago
The main unauthenticated action is video streaming, but an attacker would need to guess the correct id by chance.
MaggiWuerze@feddit.org 11 months ago
It’s not chance if the I’d is based on the path to your media. There’s but that much variation in the path to a certain movie and its trivial to build a rainbow table to try them out. This way unauthenticated users can not only stream from your server but effectively map your library
possiblylinux127@lemmy.zip 11 months ago
That wouldn’t even be using TLS
Bad idea