CVE-2023-49096: 
NixOS vulnerability analysis and mitigation

Jellyfin, a Free Software Media System for managing and streaming media, was found to contain an argument injection vulnerability in the VideosController, specifically in the /Videos//stream and /Videos//stream. endpoints. The vulnerability affects versions up to 10.8.12 and has been patched in version 10.8.13. The vulnerability allows an unauthenticated attacker to inject arguments into FFmpeg commands through the videoCodec and audioCodec parameters (GitHub Advisory).

The vulnerability stems from insufficient validation of the videoCodec and audioCodec parameters in the VideosController. These parameters are passed directly to FFmpeg command line without proper sanitization. While UseShellExecute is set to false preventing direct command execution, an attacker can still inject additional FFmpeg arguments. The vulnerability requires knowledge of a valid itemId (a random GUID), making unauthenticated exploitation unlikely without additional information leaks (GitHub Advisory, NVD).

The vulnerability could allow attackers to: 1) Overwrite arbitrary files with zero byte files 2) Include text files into the final video via FFmpeg's drawtext filter 3) Include any file as an attachment to the final video. In combination with other features like password reset functionality, an attacker could potentially gain administrative access. If admin privileges are obtained, there is potential for remote code execution by replacing the media encoder with a malicious file (GitHub Advisory).

The vulnerability has been patched in Jellyfin version 10.8.13. Users are advised to upgrade to this version. The fix involves proper validation and sanitization of codec parameters before passing them to FFmpeg (GitHub Advisory).