Attacker Value
Low
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
1

CVE-2020-5741

Disclosure Date: May 08, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Metasploit Module

Description

Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

Add Assessment

4
Ratings
Technical Analysis

A vulnerability exists within Plex that allows an authenticated attacker to submit data that is deserialized through Python in an unsafe manner. This leads to code execution within the context of the Plex server. Given the nature of Python serialization vulnerabilities, exploitation of this is relatively easy and reliable. Exploitation attempts involve creating a new photo library and setting the LocalAppDataPath which will trigger the deserialization process.

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • plex

Products

  • media server

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis