Jellyfin Users Exposure Detection Scanner

Jellyfin is an open-source media system that enables users to manage and stream their own media content across multiple devices. It is widely used by individuals and small organizations looking to host their own media servers. Jellyfin allows for the management of movies, TV shows, music, and other content, making it a versatile tool for home media entertainment. Typically deployed on personal servers or NAS devices, Jellyfin provides a solution for those seeking to avoid cloud-based subscription services. The software supports multiple plugins and client applications, enhancing its functionality and accessibility. Due to its open-source nature, users can customize and extend Jellyfin to suit their specific media needs.

The vulnerability detected by this scanner involves the exposure of sensitive user information through Jellyfin's public users API endpoint. This misconfiguration can lead to unintended disclosure of usernames, user IDs, and administrator status. It represents a significant privacy risk, especially if unauthorized individuals gain access to private user data. The vulnerability arises due to improperly configured endpoints that don't enforce sufficient authentication checks. As such, it poses a risk to any Jellyfin server with publicly accessible endpoints, particularly those connected to the internet. Addressing this issue is crucial for maintaining user privacy and data integrity in Jellyfin servers.

Technically, the vulnerability exists within the Jellyfin public users API endpoint, specifically the /Users/Public path. This endpoint, when exposed externally without proper authentication, can leak user data in JSON format. The scanner looks for known indicators such as the presence of "Name," "ServerId," "Id," "Policy," and "Configuration" within the response body. Insecure server configurations allow these responses to be accessible, leading to the vulnerability. The path is targeted via GET requests that determine exposure based on response status and content type. By identifying content with these signatures, the scanner can pinpoint instances where the endpoint is improperly exposed.

If this vulnerability is exploited, it can result in unauthorized access to user identities and server policies. Attackers could potentially use this information to craft more sophisticated attacks on the server or its users. Misuse might lead to privacy violations, data breaches, or social engineering attacks targeting the exposed identities. Organizations using Jellyfin could face reputational damage and loss of user trust if sensitive data becomes publicly accessible. Furthermore, attackers gaining knowledge of administrative users elevate the potential for privilege escalation attempts. Thus, securing the Jellyfin API endpoints is vital to protecting user and server information.

REFERENCES

• https://github.com/jellyfin/jellyfin/issues/880
• https://jellyfin.org/docs/