Hello!
Yesterday we were notified that CVE-2018-21031 was filed against the Plex Media Server and we wanted to address that in this post.
The issue described in CVE-2018-21031 is not a vulnerability in Plex Media Server. The article and video referenced in the CVE demonstrate a way that an attacker can exploit a common misconfiguration of a piece of third-party software (Tautulli) to obtain a Plex authentication token.
Once in possession of this token, the attacker is indistinguishable from the legitimate user, and can access the Plex Media Server. This does not reflect an issue with any Plex product. Users who authenticate with third-party software to Plex are advised to ensure that that software does not expose authentication tokens to the public internet. For instance, in Tautulli it’s recommended that you require authentication to access the tool.
Stay safe out there!
Thanks,
Plex Security Team
