CVE-2021-3177 - has Plex Media Server been patched?

AdamBKaplan · February 27, 2021, 7:31pm

Server Version#: 1.21.4.4079

I recently came across CVE-2021-3177 for Python 3 [1]. This is a “classic” buffer-overflow exploit that can lead to a denial of service attack or malicious code execution. It has a base NVD score of 9.8 - super critical. Some distributions, however, have a lower score because of compile time hardenings, such as FORITFY_SOURCE.

Most notable about this CVE is that although it is officially listed as impacting Python 3, Python 2.7 is also impacted [2]. Commercial vendors have offered Python 2.7 patches, but as source only [3]. Plex Media Server ships with a Python 2.7 runtime, which has reached the end of its lifecycle and is no longer supported by the Python community. This issue has been raised elsewhere in this forum, but so far it seems there are no plans for the Plex community to move to Python 3 [4].

Is Plex Media Server vulnerable to this exploit? Has the Python 2.7 runtime that ships with Plex been patched?

[1] NVD - CVE-2021-3177
[2] Red Hat Customer Portal - Access to 24x7 support and knowledge
[3] https://www.activestate.com/blog/latest-python-3-vulnerability-affects-python-2/
[4] When will Plex Media Server shift to Python 3?

ChuckPa · February 27, 2021, 7:50pm

I have forwarded this to those who can answer.
I expect someone from that team will respond.

tobiashieta · February 28, 2021, 6:37am

Hello. Thanks for bringing this up. I looked over the big report and it seems like you have to write malicious python code to exploit this. We don’t allow for uploading plug-in code remotely or executing python code via the api in anyway. So I am not sure how this would affect PMS users except maybe you trick someone to install a plug-in and that way you can create a overflow scenario.

But that still requires the hard job of creating the exploit and then you gain access to the uses PMS user.

I wouldn’t rate this as a high severity issue for PMS - but I will look into the possibility to add the patch to our python.

FYI for the next time you think there is a security related problem with PMS I would suggest you follow our security submission guidelines since it also could net you a bug bounty plus getting to the security team faster: Reporting Security Issues | Plex Support

system · May 29, 2021, 6:37am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CISA re: • CVE-2020-5741 Plex Media Server Remote Code Execution Vulnerability General Discussions	4	99	June 8, 2023
Plex Media Server Remote Code Execution Vulnerability General Discussions	3	260	June 11, 2023
When will Plex Media Server shift to Python 3? Plex Media Server server-windows , server-mac , server-linux	62	3988	July 10, 2021
Does Plex media server use "React" and if so do they have a fix? Plex Media Server server-windows , server-mac , server-linux , server-nvidia-shield , server-docker , server-qnap , server-synology , server-unraid , server-western-digital , server-truenas	1	54	December 10, 2025
Does 1.31.1.6733-bc0674160 Fix the Remote Code execution vulnerability that Lastpass's Developer saw Plex Media Server server-linux	20	355	June 1, 2023

CVE-2021-3177 - has Plex Media Server been patched?

Related topics