Jellystat Path Traversal Vulnerability Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in Jellystat, a statistics application for Jellyfin, in versions prior to 1.1.2. The vulnerability arises because the application directly uses user input in route parameters without proper validation. This flaw allows for relative path traversal, enabling an authenticated admin user to read arbitrary files from the server or delete specific files by exploiting the backup-related endpoints. The issue has been addressed in version 1.1.3.

Impact

Exploitation of this vulnerability allows for reading of any file on the system, including sensitive files like the password file, and deletion of arbitrary files, which could disrupt system operations or application functionality.

Reproduction

To reproduce this vulnerability, an admin user can send a GET request to the '/backup/files/:filename' endpoint with a crafted filename parameter that includes '../' sequences to traverse directories. This request will bypass normal file access restrictions and allow the user to read any file on the system. Similarly, the DELETE method can be used to remove files by specifying a filename parameter that also includes path traversal sequences.

Remediation

Users are advised to upgrade to Jellystat version 1.1.3, where this vulnerability has been fixed.