depending what is on it, and your risk factor, theoretically an attacker can check known resource paths to confirm or deny whats on the server. That’s my main complaint currently on it is that the jellyfin team is aware of the fact that it doesn’t need authentication, but are looking for some miracle solution that won’t toss legacy clients out in order to fix, so therefore the issues are just perpetually open.
edit: it looks like some of these issues may be being worked on now that they moved the problemic protocal into a plugin. I hope that that means they will close them in the next few releases!
depending what is on it, and your risk factor, theoretically an attacker can check known resource paths to confirm or deny whats on the server. That’s my main complaint currently on it is that the jellyfin team is aware of the fact that it doesn’t need authentication, but are looking for some miracle solution that won’t toss legacy clients out in order to fix, so therefore the issues are just perpetually open.
edit: it looks like some of these issues may be being worked on now that they moved the problemic protocal into a plugin. I hope that that means they will close them in the next few releases!