CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2021-29490

Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.907

EPSS Ranking 99.6%

CVSS Severity

CVSS v3 Score 5.8

CVSS v2 Score 5.0

References

Products affected by CVE-2021-29490

Jellyfin » Jellyfin » Version: N/A

cpe:2.3:a:jellyfin:jellyfin:-
Jellyfin » Jellyfin » Version: 10.0.0

cpe:2.3:a:jellyfin:jellyfin:10.0.0
Jellyfin » Jellyfin » Version: 10.0.1

cpe:2.3:a:jellyfin:jellyfin:10.0.1
Jellyfin » Jellyfin » Version: 10.0.2

cpe:2.3:a:jellyfin:jellyfin:10.0.2
Jellyfin » Jellyfin » Version: 10.1.0

cpe:2.3:a:jellyfin:jellyfin:10.1.0
Jellyfin » Jellyfin » Version: 10.2.0

cpe:2.3:a:jellyfin:jellyfin:10.2.0
Jellyfin » Jellyfin » Version: 10.2.1

cpe:2.3:a:jellyfin:jellyfin:10.2.1
Jellyfin » Jellyfin » Version: 10.2.2

cpe:2.3:a:jellyfin:jellyfin:10.2.2
Jellyfin » Jellyfin » Version: 10.3.0

cpe:2.3:a:jellyfin:jellyfin:10.3.0
Jellyfin » Jellyfin » Version: 10.3.1

cpe:2.3:a:jellyfin:jellyfin:10.3.1
Jellyfin » Jellyfin » Version: 10.3.2

cpe:2.3:a:jellyfin:jellyfin:10.3.2
Jellyfin » Jellyfin » Version: 10.3.3

cpe:2.3:a:jellyfin:jellyfin:10.3.3
Jellyfin » Jellyfin » Version: 10.3.4

cpe:2.3:a:jellyfin:jellyfin:10.3.4
Jellyfin » Jellyfin » Version: 10.3.5

cpe:2.3:a:jellyfin:jellyfin:10.3.5
Jellyfin » Jellyfin » Version: 10.3.6

cpe:2.3:a:jellyfin:jellyfin:10.3.6
Jellyfin » Jellyfin » Version: 10.3.7

cpe:2.3:a:jellyfin:jellyfin:10.3.7
Jellyfin » Jellyfin » Version: 10.4.0

cpe:2.3:a:jellyfin:jellyfin:10.4.0
Jellyfin » Jellyfin » Version: 10.4.1

cpe:2.3:a:jellyfin:jellyfin:10.4.1
Jellyfin » Jellyfin » Version: 10.4.2

cpe:2.3:a:jellyfin:jellyfin:10.4.2
Jellyfin » Jellyfin » Version: 10.4.3

cpe:2.3:a:jellyfin:jellyfin:10.4.3
Jellyfin » Jellyfin » Version: 10.5.0

cpe:2.3:a:jellyfin:jellyfin:10.5.0
Jellyfin » Jellyfin » Version: 10.5.1

cpe:2.3:a:jellyfin:jellyfin:10.5.1
Jellyfin » Jellyfin » Version: 10.5.2

cpe:2.3:a:jellyfin:jellyfin:10.5.2
Jellyfin » Jellyfin » Version: 10.5.3

cpe:2.3:a:jellyfin:jellyfin:10.5.3
Jellyfin » Jellyfin » Version: 10.5.4

cpe:2.3:a:jellyfin:jellyfin:10.5.4
Jellyfin » Jellyfin » Version: 10.5.5

cpe:2.3:a:jellyfin:jellyfin:10.5.5
Jellyfin » Jellyfin » Version: 10.6.0

cpe:2.3:a:jellyfin:jellyfin:10.6.0
Jellyfin » Jellyfin » Version: 10.6.1

cpe:2.3:a:jellyfin:jellyfin:10.6.1
Jellyfin » Jellyfin » Version: 10.6.2

cpe:2.3:a:jellyfin:jellyfin:10.6.2
Jellyfin » Jellyfin » Version: 10.6.3

cpe:2.3:a:jellyfin:jellyfin:10.6.3
Jellyfin » Jellyfin » Version: 10.6.4

cpe:2.3:a:jellyfin:jellyfin:10.6.4
Jellyfin » Jellyfin » Version: 10.7.0

cpe:2.3:a:jellyfin:jellyfin:10.7.0
Jellyfin » Jellyfin » Version: 10.7.1

cpe:2.3:a:jellyfin:jellyfin:10.7.1
Jellyfin » Jellyfin » Version: 10.7.2

cpe:2.3:a:jellyfin:jellyfin:10.7.2

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2021-29490

Products

Pricing

Contact Us