Vulnerability disclosure: New Jellyfin users are mistakenly made admins and can read the LDAP bind password #174
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This security vulnerability has been fixed. It has been exploited at least once, and probably only once.
Thanks again to @ersei for discovering this serious vulnerability. This is their description of the attack:
Jellyfin has been fixed to now no longer make new users admins. All old users have also been demoted from being admins.
I also configured SSSD to not allow LDAP users with a UID or GID under 1001, for a second countermeasure in case an attacker acquires the LDAP password.