Strix
26.1K

CVE-2019-19141

HIGHCVSS 8.8/10EPSS 4.35%

Last modified

CVE-2019-19141 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. This allows remote code execution via a variety of methods, such as (on a default Ubuntu installation) creating a .ssh folder in the plex user's home directory via directory traversal, uploading an SSH authorized_keys file there, and logging into the host as the Plex user via SSH.. EPSS estimates a 4.35% chance of exploitation in the next 30 days.

Description

The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. This allows remote code execution via a variety of methods, such as (on a default Ubuntu installation) creating a .ssh folder in the plex user's home directory via directory traversal, uploading an SSH authorized_keys file there, and logging into the host as the Plex user via SSH.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
4.35%

90.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
PlexMedia Server<= 1.18.2.2029

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-19141?
The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. This allows remote code execution via a variety of methods, such as (on a default Ubuntu installation) creating a .ssh folder in the plex user's home directory via directory traversal, uploading an SSH authorized_keys file there, and logging into the host as the Plex user via SSH.
How severe is CVE-2019-19141?
CVE-2019-19141 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 4.35% probability of exploitation in the next 30 days.
How do I fix CVE-2019-19141?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-19141?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST