Comment on That's all folks, Plex is starting to charge for sharing
MaggiWuerze@feddit.org 5 weeks agoDoesn’t do shit when large parts of the Backend are not authenticated
Comment on That's all folks, Plex is starting to charge for sharing
MaggiWuerze@feddit.org 5 weeks agoDoesn’t do shit when large parts of the Backend are not authenticated
Dave@lemmy.nz 5 weeks ago
What kids of things?
I’ve never worried that much because it’s not critical data and it’s containerised in Docker, but I am curious about specifics because large numbers of people expose it to the internet (through reverse proxies).
MaggiWuerze@feddit.org 5 weeks ago
github.com/jellyfin/jellyfin/issues/5415
Dave@lemmy.nz 5 weeks ago
Cheers for that. Many of these issues allow a user to do admin actions if they do the right things, so it seems you should never allow a user that you don’t fully trust to have an account.
But outside of this, there isn’t anything in there that on its own worries me given the nature of the platform (that is, that if it all burnt down I could retrieve all data from other sources). I’m no expert but a cursory look shows a bunch of potential issues that may be layered with other issues but no clear attack path except with prior knowledge.
These should obviously be fixed but there’s nothing that makes me want to rip my server off the open internet in a hurry.
Zeoic@lemmy.world 4 weeks ago
Seems trivial to me for someone to guess file paths and use those to confirm if specific content is on a jellyfin server. With how prevalent things like docker and sonarr are, filepaths are pretty standardized these days. I wouldn’t trust JF without a VPN