Comment on Sharing Jellyfin
Selfhoster1728@infosec.pub 1 day agoSee this issue on their github repo: here
Basically from what I understand there’s loads of unauthenticated api calls, so someone can very easily exploit that.
Comment on Sharing Jellyfin
Selfhoster1728@infosec.pub 1 day agoSee this issue on their github repo: here
Basically from what I understand there’s loads of unauthenticated api calls, so someone can very easily exploit that.
exu@feditown.com 1 day ago
The main unauthenticated action is video streaming, but an attacker would need to guess the correct id by chance.
github.com/jellyfin/jellyfin/issues/5415#issuecom…
MaggiWuerze@feddit.org 1 day ago
It’s not chance if the I’d is based on the path to your media. There’s but that much variation in the path to a certain movie and its trivial to build a rainbow table to try them out. This way unauthenticated users can not only stream from your server but effectively map your library