Tautulli Unauthenticated HTTP Request Proxying Vulnerability via pms_image_proxy Endpoint

A vulnerability in Tautulli versions prior to 2.17.0 allows the /pms_image_proxy endpoint to accept a user-supplied img parameter and forward it to Plex Media Server's /photo/:/ transcode transcoder without authentication. The endpoint lacks scheme or host restrictions, enabling the Plex Media Server, which usually operates on the same host or within the internal network, to make outbound HTTP requests to attacker-specified URLs. This issue has been patched in Tautulli version 2.17.0.

Impact

Exploitation of this vulnerability creates a server-side request forgery (SSRF) condition, where the Plex Media Server is tricked into making HTTP requests to internal or external resources specified by the attacker. This can lead to unauthorized access or exposure of internal services and data.

Reproduction

To reproduce this vulnerability, send an unauthenticated request to the Tautulli server's /pms_image_proxy endpoint, including an img parameter that starts with 'http'. Tautulli will forward this request to the specified URL via the Plex Media Server, which can then be verified through the Tautulli server logs or by using an out-of-band interaction tool.

Remediation

Users are advised to update to Tautulli version 2.17.0, where this vulnerability has been fixed.