cbcvebase.
CVE-2021-21402
published 2021-03-23

CVE-2021-21402: Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from…

PriorityP278medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.86%
99.6th percentile
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

Affected

1 ranges
VendorProductVersion rangeFixed in
jellyfinjellyfin< 10.7.110.7.1

Detection & IOCsextracted from sources · hover to see the quote

url/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/
url/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/
path..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini
  • Look for GET requests to Jellyfin /Audio/{id}/hls/ or /Videos/{id}/hls/ endpoints containing URL-encoded backslash path traversal sequences (%5C) targeting win.ini or other sensitive files.
  • Successful exploitation returns HTTP 200 with Content-Type: application/octet-stream and a response body matching Windows INI section headers such as [fonts], [extensions], or [files].
  • Shodan/FOFA fingerprinting for exposed Jellyfin instances: search for http.html containing 'Jellyfin' or page title 'jellyfin' to identify potentially vulnerable targets.
  • The vulnerability is exploitable by authenticated users (PR:L) via crafted HLS streaming endpoint paths; monitor authenticated sessions making traversal requests to /Audio/ or /Videos/ HLS endpoints.
  • ·This vulnerability is significantly more prevalent on Windows-hosted Jellyfin servers due to backslash path separator handling; Linux hosts may be less affected.
  • ·The nuclei template targets Jellyfin versions strictly before 10.7.1; servers already patched to 10.7.1 or later are not vulnerable.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.