Jump to content

FULL DISCLOSURE: May 2023 Security Incident Report

softworkz

By softworkz
in General/Windows

 Share

Recommended Posts

Luke Emby Team

Luke 42078

Posted
Posted
6 hours ago, rbjtech said:

 

@LukeDo you have a better ETA than 'coming soon' - as that could be next week or it could be next year ... 🤪  This month or next month would suffice .. thanks.

 

Trying to get a new build out any day now.

  • Thanks 1
  • 7 months later...
thornbill

thornbill 8

Posted
Posted
On 6/21/2023 at 5:38 AM, softworkz said:

Amendment to section 1.3.1-2

The reason for postponing the disclosure of the mentioned vulnerability is that there is still a number of Emby Servers online where users haven't updated yet. As long as that is the case, we will not disclose the vulnerability. 

Has the additional vulnerability ever been disclosed?

Luke Emby Team

Luke 42078

Posted
Posted
7 minutes ago, thornbill said:

Has the additional vulnerability ever been disclosed?

Hi, what do you mean by additional?

thornbill

thornbill 8

Posted
Posted
16 hours ago, Luke said:

Hi, what do you mean by additional?

In section 1.3.1 two vulnerabilities are listed, but it does not seem like the second was ever disclosed:

Quote

Eventually, two possible exploitation methods could be identified:

Quote

2 Undisclosed Vulnerability


It had turned out later that this wasn’t used in any case of the incident under investigation


Disclosure has been postponed
This vulnerability has been fixed already in
a. Stable versions >= 4.7.13
b. Beta versions >= 4.8.36

softworkz Emby Team

softworkz 5066

Posted
  • Author
Posted
On 3/6/2024 at 6:47 AM, thornbill said:

Has the additional vulnerability ever been disclosed?

It hasn't and it won't.

The mentioned "undisclosed vulnerability" was based on a hypothesis I had during the investigation of the incident, but it turned out that it didn't apply to the case and from a retrospective view, it's also been a bit too tricky as that someone could have found out without deep knowledge about the product.

So after all, it was merely an idea of how the server could possibly be hacked and I hope you'll understand that we do not share ideas about hacking our software.

Gilgamesh_48

Gilgamesh_48 1240

Posted
Posted
1 hour ago, softworkz said:

It hasn't and it won't.

The mentioned "undisclosed vulnerability" was based on a hypothesis I had during the investigation of the incident, but it turned out that it didn't apply to the case and from a retrospective view, it's also been a bit too tricky as that someone could have found out without deep knowledge about the product.

So after all, it was merely an idea of how the server could possibly be hacked and I hope you'll understand that we do not share ideas about hacking our software.

I think the real problem was, and is, either magic, gremlins or magical gremlins. ;) :D 

  • Haha 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...