Cyber Resilience

CVE-2023-33193

Critical

Published: 30 May 2023

Published
30 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.4567 97.7th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33193 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Emby Emby.Releases. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Emby Server, a user-installable home media server, contains a header spoofing vulnerability that affects the local versus non-local network determination logic used for reverse proxy interoperability. By manipulating specific headers, an unauthenticated remote attacker can bypass intended access controls on publicly reachable installations where administrative accounts lack password requirements or other hardening. The flaw is tracked as CWE-444 and carries a CVSS 3.1 score of 9.1.

An attacker with network access to an exposed Emby Server instance can spoof the relevant headers to either enumerate user accounts that have no password set or obtain administrative login without credentials, depending on the server's account configuration. This requires no prior authentication and succeeds against default or loosely configured deployments.

The official Emby security advisory states that the issue is resolved in Emby Server 4.7.12 and Beta 4.8.31; administrators are advised to apply these updates and restrict administrative accounts to require passwords. The associated EPSS score reached a peak of 0.5704 before receding to its current value of 0.4567.

EU & UK References

Vulnerability details

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may…

more

allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

emby
emby.releases
≤ 4.7.0.12 · 4.8.0.0 — 4.8.31

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References