git: 620614c60f94 - main - security/vuxml: Document CVE-2021-42835 for multimedia/plexmediaserver{-plexpass} < 1.25.0

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Nuno Teixeira <eduardo_at_FreeBSD.org>
Date: Mon, 30 Jan 2023 11:32:10 UTC
The branch main has been updated by eduardo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=620614c60f94324f19c33d109199f1f026b41b1f

commit 620614c60f94324f19c33d109199f1f026b41b1f
Author:     Nuno Teixeira <eduardo@FreeBSD.org>
AuthorDate: 2023-01-30 11:28:30 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2023-01-30 11:28:30 +0000

    security/vuxml: Document CVE-2021-42835 for multimedia/plexmediaserver{-plexpass} < 1.25.0
    
    PR:             269226
    Reported by:    grahamperrin
---
 security/vuxml/vuln/2023.xml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 69a71f064588..048c383e8c1c 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,31 @@
+  <vuln vid="98f78c7a-a08e-11ed-946e-002b67dfc673">
+    <topic>Plex Media Server -- security vulnerability</topic>
+    <affects>
+      <package>
+	<name>plexmediaserver</name>
+	<name>plexmediaserver-plexpass</name>
+	<range><lt>1.25.0</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Plex Security Team reports:</p>
+	<blockquote cite="https://forums.plex.tv/t/security-regarding-cve-2021-42835/761510">
+	  <p>We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.</p>
+	  <p>Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-42835</cvename>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42835</url>
+    </references>
+    <dates>
+      <discovery>2021-10-22</discovery>
+      <entry>2023-01-30</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="791a09c5-a086-11ed-954d-b42e991fc52e">
     <topic>prometheus2 -- basic authentication bypass</topic>
     <affects>