by Mashimo 3 days ago
He claims there are known exploits. Though I also want to know if this is really true.
The absolute worst thing I can see in there is that an third party who somehow managed to get a link to one of your library items (either directly from you or from one of your users--or by spending the next decade bruteforcing it I guess) could stream said item: https://github.com/jellyfin/jellyfin/issues/5415#issuecommen...
Everything else looks to me like unimportant issues, that would provide someone who's already logged in as a user minor details about your server.
Nearly everyone uses the *arr stack with the Trash guides.
Which means that the paths are pretty damn uniform.
Unless I am misunderstanding the discussion on GitHub, the attacker would still need to know the exact path where the file is saved, and the name of the file itself. Even then, all they can do is download the file from your device--which they could just torrent themselves for a fraction of the effort.
A DDoS is still a valid attack.
Very few consumer connections can manage, say, 100 clients downloading a massive video file simultaneously.