Strix
26.1K

CVE-2023-33193

CRITICALCVSS 9.1/10EPSS 1.71%

Last modified

CVE-2023-33193 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. EPSS estimates a 1.71% chance of exploitation in the next 30 days.

Description

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.

Metrics

CVSS 3.1
9.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Probability
1.71%

74.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
EmbyEmby.Releases< 4.7.0.12
EmbyEmby.Releases>= 4.8.0.0, < 4.8.31

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-33193?
Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.
How severe is CVE-2023-33193?
CVE-2023-33193 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 1.71% probability of exploitation in the next 30 days.
How do I fix CVE-2023-33193?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-33193?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST