[GHSA-95fv-5gfj-2r84] Emby Server API Vulnerability allowing to gain administrative access without precondition #6584
Conversation
|
Hi there @softworkz! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
softworkz/advisory-improvement-6584
There was a problem hiding this comment.
Pull request overview
This pull request corrects a GitHub Security Advisory for an Emby Server vulnerability by removing incorrect NuGet package references and properly identifying the affected product as the Emby Server application itself (not NuGet packages). The advisory originally listed MediaBrowser.Server.Core as the affected package, which caused unaffected NuGet packages to be incorrectly flagged as vulnerable.
- Changed affected package from
MediaBrowser.Server.Coreto properly identify Emby Server application (stable and beta versions) - Updated fixed version from 4.9.1.81 to 4.9.1.90 for stable release
- Added separate entry for Emby Server Beta with fixed version 4.9.2.7
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
advisories/github-reviewed/2025/12/GHSA-95fv-5gfj-2r84/GHSA-95fv-5gfj-2r84.json
Show resolved
Hide resolved
| "package": { | ||
| "ecosystem": "NuGet", | ||
| "name": "Emby-Server-Beta-(not-any-nuget-package)" | ||
| }, |
There was a problem hiding this comment.
The package name "Emby-Server-Beta-(not-any-nuget-package)" is problematic because it's marked as ecosystem "NuGet" but explicitly states it's not a NuGet package. This creates an inconsistency in the advisory metadata. If this is the Emby Server Beta application rather than a NuGet package, consider using a different ecosystem type or advisory format that better represents standalone applications rather than package dependencies.
There was a problem hiding this comment.
There is no matching "ecosystem".
Updates
Comments
Somebody has changed the affected products from the original advisory (GHSA-95fv-5gfj-2r84) to some of our nuget packages which are in no way affected. Now they are shown on Nuget as vulnerable even though that isn't true. The nuget packages are merely containing interfaces for plugins and using a newer or older nuget package doesn't have an effect on security. This is solely a matter of updating the Emby Server software to the latest versions.
Our Nuget packages must not be marked as vulnerable and with all due respect - I do not understand how you can make such a fundamental and impactful change to the information we have given, even without checking back.
Thanks