CVE-2023-48702: 
NixOS vulnerability analysis and mitigation

Jellyfin, a system for managing and streaming media, was found to contain a vulnerability (CVE-2023-48702) in versions prior to 10.8.13. The vulnerability was discovered in the /System/MediaEncoder/Path endpoint, which could allow a malicious administrator to execute arbitrary code on the Jellyfin server. The issue was reported by Kevin Stubbings from the GitHub Security Lab team and was disclosed on December 13, 2023 (GitHub Advisory).

The vulnerability exists in the /System/MediaEncoder/Path endpoint which executes an arbitrary file using ProcessStartInfo via the ValidateVersion function. The vulnerability has a CVSS v3.1 Base Score of 7.2 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) (NVD, GitHub Advisory).

The vulnerability allows a malicious administrator to set up a network share and supply a UNC path to /System/MediaEncoder/Path which points to an executable on the network share. This results in the Jellyfin server executing the arbitrary executable in the local context, potentially compromising the system (GitHub Advisory).

The vulnerability was patched in Jellyfin version 10.8.13 by completely removing the /System/MediaEncoder/Path endpoint functionality. Users should upgrade to version 10.8.13 or later to mitigate this security risk (GitHub Advisory, Patch).