Vulnerability Details CVE-2020-5741
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.444
EPSS Ranking 97.4%
CVSS Severity
CVSS v3 Score 7.2
CVSS v2 Score 6.5
Proposed Action
Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.html
- https://www.tenable.com/security/research/tra-2020-32
- http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.html
- https://www.tenable.com/security/research/tra-2020-32
Products affected by CVE-2020-5741
-
cpe:2.3:a:plex:media_server:-
-
cpe:2.3:a:plex:media_server:0.9.9.2
-
cpe:2.3:a:plex:media_server:1.13.2.5154
-
cpe:2.3:a:plex:media_server:1.18.2.2029
-
cpe:2.3:a:plex:media_server:1.18.2.2029-36236cc4c
-
cpe:2.3:a:plex:media_server:1.19.1.2701
-
cpe:2.3:o:microsoft:windows:-