Security vulnerability in Jellyfin module

A security vulnerability in NixOS’s Jellyfin module was discovered and reported by Sofie Finnes Øvrelid.

Summary

The Jellyfin module exposed Jellyfin’s state directory, which contains secrets, to all local users.

Resolution

The module has been updated to set the mode of the state directory to 0700, denying other users access to the files. The issue is fixed on the current state of nixos-unstable, nixos-22.05, and nixos-21.11. Updating systems running the jellyfin module, as well as rotating secrets that may have been exposed, is recommended.

Description

(courtesy of Sofie Finnes Øvrelid)

Current installation procedures on unstable will create /var/lib/jellyfin as a 755 folder where all configurations are world readable.

Impact

Secrets are accessible to all local users of the system. This includes:

  • Session tokens, which can be used to hijack other users’ sessions
  • Hashed passwords
  • Configuration files, which may include credentials for other services.

References

fix on master branch: jellyfin: fix permissions on state directory by lheckemann · Pull Request #175729 · NixOS/nixpkgs · GitHub
fix on nixos-22.05 branch: [Backport release-22.05] jellyfin: fix permissions on state directory by github-actions[bot] · Pull Request #175761 · NixOS/nixpkgs · GitHub
fix on nixos-21.11 branch: [Backport release-21.11] jellyfin: fix permissions on state directory by github-actions[bot] · Pull Request #175760 · NixOS/nixpkgs · GitHub

5 Likes
Hosted by Flying Circus.