🇨🇦
I got the same email.
I haven’t had plex installed for over 7 years, and I’ve NEVER used the shared libraries feature.
We noticed that you’ve accessed libraries from friends and family in the past
They’ve apparently noticed activity that’s never occurred.
I use https://filebrowser.org/ for this.
Nice lightweight filebrowsing/sharing with user management. Users can have their own dedicated directories, or collaborate.
You can also create share links that allow anyone with the link to view/download files. Optionally password protected.
Here’s a demo you can mess with: https://demo.filebrowser.org/ User: demo Pass: demo
I’m so tired of seeing this overblown reaction to ancient non-news.
Yes, there are some minor vulnerabilities in Jellyfin; but they really really aren’t concerning.
Unauthenticated, a random person could potentially (with some prior knowledge of this specific issue, and some significant effort randomly generating media UUIDS to tryout) retrieve/playback some media unauthorized. THATS IT. That’s the ONLY real concern. And it’s one you could mitigate with a fail2ban filter if you were that worried about it.
The other ‘issues’ here, are the potential for your already authenticated users to attack each others settings. Who do you share your server with that you’re concerned about them attacking each other???
Put this to bed and stop fussing over it. It’s genuinely not worth your time or attention. Exposing Jellyfin to the net is fine.
Dev comment on the situation: (4 days ago) https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290
In the case of plex, it’s not 100% selfhosted. There’s a dependence on plexs public infrastructure for user management/authentication. They also help bypass NAT by proxying connections through their servers so you don’t have to setup port forwarding and can even easily escape double NAT situations.
I can understand paying for that convenience, but cost keeps rising while previously free features continue to get locked behind paywalls.
Tbh, having users required to authenticate with plex.tv was enough for me to look elsewhere. The biggest reason to self host for me is to remove dependency on public services.