Movary Jellyfin Server URL Verification SSRF Vulnerability Allows Internal Network Probing

A server-side request forgery (SSRF) vulnerability has been identified in Movary, a self-hosted movie tracking web application, prior to version 0.71.1. The issue allows authenticated users to send requests to internal network targets via the 'POST /settings/jellyfin/server-url-verify' endpoint. This endpoint accepts a user-controlled URL, appends '/system/info/public', and uses Guzzle to send the request. The vulnerability arises from a lack of validation on internal hosts, loopback addresses, and private network ranges, enabling unauthorized access to internal services and network probing.

Impact

Exploitation of this vulnerability allows for internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. It could also be used to access internal administrative services or cloud metadata endpoints not directly reachable from outside, according to the advisory.

Reproduction

To reproduce this vulnerability, an authenticated user can send a 'POST' request to the '/settings/jellyfin/server-url-verify' endpoint with a URL pointing to an internal service. The response will indicate whether the request was successful, thereby confirming the exploitation of the SSRF vulnerability.

Remediation

Users can update to Movary version 0.71.1 or later, where this vulnerability has been fixed.