We have recently been made aware of a security vulnerability related to our Camera Upload feature that could allow a user you have explicitly granted access to the Camera Upload feature to gain unauthorized access to the device running your Plex Media Server. We are not aware of any cases where this vulnerability has been exploited, but we take all security issues very seriously and have acted accordingly to address the issue. This issue has been assigned CVE-2019-19141 (this is a tracking number for security issues).
We have issued a hotfix in Plex Media Server version 1.18.2.2041 and it’s available to everyone now. We strongly encourage all users to upgrade to this version.
Out of an abundance of caution, in order to prevent the vulnerability from being exploited against users who have not yet updated, we have also disabled the Camera Upload feature on versions of Plex Media Server between 1.0.0 and 1.18.2.2041; this includes most affected installs, but not those on very old releases. Users on older versions can manually disable the “Allow Camera Upload” sharing restriction . You can check your installed version in the Plex Web app . If you have an older version of Plex Media Server installed, you will not be able to use the Camera Upload feature until you have upgraded to version 1.18.2.2038 or newer.
The Plex Team
