Impact
The vulnerability resides in the Jellyfin media server’s POST /ClientLog/Document endpoint, where the Authorization header’s Client and Version values are incorporated unsanitized into the on‑disk filename used to store uploaded log documents. An authenticated, non‑admin user can supply a Client value containing sequences such as ../ that alter the intended file path. The server then writes the supplied content to the constructed location with a forced .log extension. This flaw permits arbitrary file creation or overwrite of any file accessible to the Jellyfin service user, potentially exposing sensitive data or enabling the execution of malicious files. The impact is a loss of integrity for files within the service’s disk space and a risk of malicious payload deployment, while confidentiality is at risk if attacker‑controlled logs conceal data or contain malicious content. The weakness is classified as CWE‑22 Path Traversal.
Affected Systems
This issue affects the open‑source Jellyfin media server from version 10.9.0 up through 10.11.9, inclusive. Only users with authenticated, non‑admin permissions can exploit this behavior, as the endpoint requires Authorization for log uploads. Based on the description, it is inferred that installations on Windows and Linux running the vulnerable Jellyfin package are susceptible.
Risk and Exploitability
The recorded CVSS score of 8.8 indicates a high‑severity risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been publicly exploited in the wild. The likely attack vector is a network‑based HTTP POST request to /ClientLog/Document from an authenticated session; the Authorization header can be manipulated by the attacker to supply the malicious Client value. Exploitation requires only that the victim’s Jellyfin server be reachable and that the user have a valid, non‑admin session. An attacker could therefore use any legitimate account – such as a shared user profile – to inject files of their choosing and potentially influence the server’s runtime behavior.
OpenCVE Enrichment