Main Vulnerability Database SB2021032237

SB2021032237 - Path traversal in Jellyfin

Published: March 22, 2021 Updated: April 15, 2026

Security Bulletin ID SB2021032237

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2021-21402)

The vulnerability allows a remote attacker to disclose arbitrary files from the server file system.

The vulnerability exists due to path traversal in certain endpoints when handling specially crafted requests. A remote attacker can send specially crafted requests to disclose arbitrary files from the server file system.

The issue is more prevalent when Windows is used as the host operating system.

Remediation

Install update from vendor's website.

References

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx
https://github.com/advisories/GHSA-wg4c-c9g9-rxhx