CVE-2023-33193
Published: 30 May 2023
Summary
CVE-2023-33193 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Emby Emby.Releases. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Emby Server, a user-installable home media server, contains a header spoofing vulnerability that affects the local versus non-local network determination logic used for reverse proxy interoperability. By manipulating specific headers, an unauthenticated remote attacker can bypass intended access controls on publicly reachable installations where administrative accounts lack password requirements or other hardening. The flaw is tracked as CWE-444 and carries a CVSS 3.1 score of 9.1.
An attacker with network access to an exposed Emby Server instance can spoof the relevant headers to either enumerate user accounts that have no password set or obtain administrative login without credentials, depending on the server's account configuration. This requires no prior authentication and succeeds against default or loosely configured deployments.
The official Emby security advisory states that the issue is resolved in Emby Server 4.7.12 and Beta 4.8.31; administrators are advised to apply these updates and restrict administrative accounts to require passwords. The associated EPSS score reached a peak of 0.5704 before receding to its current value of 0.4567.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37370
Vulnerability details
Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may…
more
allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.