All (raw) image endpoints in ImageByNameController, ImageController & RemoteImageController are unauthenticated
This allows probing on whether a specific image exists on the server by guessing item id’s (which can be done without too much trouble, as item ids are based on filepath and filename information) and then checking on what content (movies, series etc) exist on a given server, without having an account.
As I said, when you know the exact path of a media item on the server then you can check if the item exists.
If you choose a none standard filepath its not an issue.
Should that be fixed yes.
Whats the scenario? A law firm could brute force check all media items on open jellyfin servers? Highly illegal to exploit something like this in a lot of jurisdiction. And would also not proof the existence of the media on the server, just a file named like it.
Mitigation? Just add another random letter in the docker-compose mount path.
All (raw) image endpoints in ImageByNameController, ImageController & RemoteImageController are unauthenticated
As I said, when you know the exact path of a media item on the server then you can check if the item exists.
If you choose a none standard filepath its not an issue.
Should that be fixed yes.
Whats the scenario? A law firm could brute force check all media items on open jellyfin servers? Highly illegal to exploit something like this in a lot of jurisdiction. And would also not proof the existence of the media on the server, just a file named like it.
Mitigation? Just add another random letter in the docker-compose mount path.