2024-10-14, 04:26 PM
Ah. Posters. I had it in my head you were talking about the actual media. Reading comprehension fail.
That is the current behavior, yes. It is a known issue that requires a significant rework of how images are served.
Here is the github issue that is a sort of "collection of known security issues".
https://github.com/jellyfin/jellyfin/issues/5415
Most are relatively minor. The team has addressed more severe security issues when disclosed, such as privilege escalation vulnerabilities, and unauthenticated access to media.
Some ways to mitigate risk are the following.
1) Hide user names from the login screen (default behavior now, IIRC)
2) Use a reverse proxy and https instead of directly exposing Jellyfin to the Internet
3) Setup fail2ban for both Jellyfin and your reverse proxy to ban repeated login/access failures
That is the current behavior, yes. It is a known issue that requires a significant rework of how images are served.
Here is the github issue that is a sort of "collection of known security issues".
https://github.com/jellyfin/jellyfin/issues/5415
Most are relatively minor. The team has addressed more severe security issues when disclosed, such as privilege escalation vulnerabilities, and unauthenticated access to media.
Some ways to mitigate risk are the following.
1) Hide user names from the login screen (default behavior now, IIRC)
2) Use a reverse proxy and https instead of directly exposing Jellyfin to the Internet
3) Setup fail2ban for both Jellyfin and your reverse proxy to ban repeated login/access failures
Jellyfin 10.10.7 (Docker)
Ubuntu 24.04.2 LTS w/HWE
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
4x WD Red Pro 6TB CMR in RAIDZ1
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github)
Ubuntu 24.04.2 LTS w/HWE
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
4x WD Red Pro 6TB CMR in RAIDZ1