Vulnerability Description
Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token is mishandled and can be retrieved from Tautulli. NOTE: Initially, this id was associated with Plex Media Server 1.18.2.2029-36236cc4c as the affected product and version. Further research indicated that Tautulli is the correct affected product.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plex | Media Server | 1.18.2.2029-36236cc4c |
Related Weaknesses (CWE)
References
- https://forums.plex.tv/t/security-regarding-cve-2018-21031/493286Third Party Advisory
- https://twitter.com/GerardFuguet/status/1009937529573912576Third Party Advisory
- https://www.elladodelmal.com/2018/08/shodan-es-de-cine-hacking-tautulli-un.htmlExploitThird Party Advisory
- https://www.exploit-db.com/docs/47790ExploitThird Party AdvisoryVDB Entry
- https://forums.plex.tv/t/security-regarding-cve-2018-21031/493286Third Party Advisory
- https://twitter.com/GerardFuguet/status/1009937529573912576Third Party Advisory
- https://www.elladodelmal.com/2018/08/shodan-es-de-cine-hacking-tautulli-un.htmlExploitThird Party Advisory
- https://www.exploit-db.com/docs/47790ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2018-21031?
CVE-2018-21031 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token is mishandled and can be retrieved from Tautulli. NOTE: Initi...
How severe is CVE-2018-21031?
CVE-2018-21031 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-21031?
Check the references section above for vendor advisories and patch information. Affected products include: Plex Media Server.