How much has been fixed for this, as of June 2023?
I quite like it has a Plex replacement, it passes the "partner test" AND the "parent test" - they can both install the app and watch what they want (as long as they turn off the android player default, which is a terrible default).
I have it behind a firewall so nothing can access it (it's just for home, or for those who need it, over Wireguard). When i have time, it could be a good experiment for Podman or some other way to run rootless containers/jails.
You should probably never expose a service like that directly, no matter what it is, to the internet, at least have it behind something like Tailscale.
Many of these don't seem too bad to be honest. A lot of these are information disclosures that require knowing very long tokens.
The LDAP addon listing credentials is bad. The rest seems like it shouldn't be a problem for normal (in-home streaming) usage; i.e. users reading each other's last login time shouldn't be a problem if you trust the people you share the server with.
That's really the key point here: Trusting the people you share the server with.
Jellyfin is kind of binary in that regard. Once you're authenticated - no matter the privileges - you can reach a lot of places.
I've written about this recently, if anyone's interested.
Like others have mentioned, you should probably only expose the server to a trusted group of users (ideally not directly on the Internet).
Definitely. I know there are people who share Plex servers with tens or even hundreds of people, and for those types of use cases you'll definitely want to avoid Jellyfin, but that's not what Jellyfin is intended to be used for.
I don't think standard users can change important system settings, but I've always assumed that they can look at stuff like logged in users and the current state of the system.
It seems that most of these issues are not really a problem if the system is used for a small set of people on LAN only, with VPN if needed elsewhere.
Perhaps the browser local storage is an issue, but may be mitigated if the credentials are only useful for that LAN service, with no way for someone to access outside the LAN anyway. Although I'm not a security expert so I may be missing something here.
I've given jellyfin a test-drive a few years ago, it was nice but I ended up back with plex. Thanks for the link (and thanks to those who compiled it!). Enumerating all the potential security issues is important for something that runs 24/7 from the home network. That's a decent sized list, would give me pause on giving JF another test run.
I quite like it has a Plex replacement, it passes the "partner test" AND the "parent test" - they can both install the app and watch what they want (as long as they turn off the android player default, which is a terrible default).
I have it behind a firewall so nothing can access it (it's just for home, or for those who need it, over Wireguard). When i have time, it could be a good experiment for Podman or some other way to run rootless containers/jails.