CVE-2019-19141
Description
The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. This allows remote code execution via a variety of methods, such as (on a default Ubuntu installation) creating a .ssh folder in the plex users home directory via directory traversal, uploading an SSH authorized_keys file there, and logging into the host as the Plex user via SSH.
Risk Information
Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
3.414
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2019-19141,CVE-2020-5742 are affected in Plex Media Server 1.18.2.2029 | Windows |
| Vulnerabilities CVE-2019-19141,CVE-2020-5742 are affected in Plex Media Server (x64) 1.18.2.2029 | Windows |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-350556 | Plex Media Server (1.42.1.10060) |
| PATCH-358065 | Plex Media Server (x64) (1.43.1.10611) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234