Comment on Plex’s crackdown on free remote streaming access starts this week - Ars Technica
tyler@programming.dev 3 weeks agoAside from most of those being “potential issues”, which weren’t proven, the rest are GETs of things that do not need to be secret, things like album art and list of installed plugins. Besides the one plugin issue, which was an actual security issue, which was fixed over a year and a half ago. github.com/jellyfin/jellyfin/pull/11436
Contrast that with Plex which has numerous high severity CVEs that include things like remote code execution, directory traversal, and more.
list of installed plugins.
Yeah, as you said, that’s a pretty serious security issue. That’s a data leak that explicitly lays out the shape of your attack surface. It tells the attacker exactly what additional software your server is running and if any of it includes known vulnerabilities, the attacker now knows how to gain access.
That only works if the plugins are somehow accessible through an api controller, which as far as I’m aware, is not how jellyfin plugins work. So no, it wouldn’t increase your attack surface at all.
You’re aware those CVEs are only relevant for ancient versions of Plex and were fixed long ago?
They are not marked as resolved.
CVEs don’t get issued “resolved” statuses… They are either reserved, published, or rejected (technically NVD have a few extra for published). That’s just junk data in that tool you’re using. Use authoritative sources like cve.org or nvd.nist.gov.
You can see the CPEs on NVD and they’re old versions of Plex.
Those are the the ones that somone has managed to find in closed source software…
MaggiWuerze@feddit.org 3 weeks ago
And you think if Jellyfin were a comparable size, there wouldn’t be just as many or more?
tyler@programming.dev 2 weeks ago
No… because more people would be working on it.