Movary 存在 Jellyfin 服务器 URL 验证中的经过身份验证的 SSRF，允许内部网络探测

攻击者可以利用此 SSRF 漏洞扫描内部网络，访问未经授权的内部服务，并可能泄露敏感信息。由于攻击者只需要经过身份验证即可利用该漏洞，因此攻击面相对较广。攻击者可以利用该漏洞访问内部数据库、管理界面或其他内部资源，从而进一步扩大攻击范围。如果 Movary 与其他内部系统集成，攻击者可能能够利用此漏洞进行横向移动，攻击其他系统。

Organizations running Movary in environments with internal services accessible via HTTP/HTTPS are at risk. This includes deployments where Movary is used to manage media libraries and interact with Jellyfin or other internal media servers. Shared hosting environments where multiple users share the same Movary instance are particularly vulnerable, as a compromised user account could be used to exploit the SSRF vulnerability.

• php: Examine Movary application logs for suspicious outbound HTTP requests to internal IP addresses or unusual domains. Use grep to search for patterns related to /settings/jellyfin/server-url-verify and internal URLs.

grep -r '/settings/jellyfin/server-url-verify' /var/log/apache2/access.log

• generic web: Monitor web server access logs for requests to the /settings/jellyfin/server-url-verify endpoint originating from authenticated users. Look for unusual User-Agent strings or request headers.

curl -I http://movary.example.com/settings/jellyfin/server-url-verify

1. 2026-04-18Disclosure

   disclosure

1. 已保留2026-04-10
2. 发布日期2026-04-18
3. 修改日期2026-04-20
4. EPSS 更新日期2026-04-25

最有效的缓解措施是立即升级到 Movary 0.71.1 或更高版本。如果无法立即升级，可以考虑以下临时缓解措施：限制 Movary 访问内部网络的权限，使用 Web 应用防火墙 (WAF) 过滤对 /settings/jellyfin/server-url-verify 端点的请求，并监控系统日志以检测可疑活动。在升级后，请验证新版本是否已正确安装并配置，以确保漏洞已得到修复。