A vulnerability was found in morpheus65535 bazarr 1.2.4 and classified as critical. Affected by this issue is the function requests.get of the file bazarr/bazarr/app/ui.py of the component GET Request Handler. The manipulation with an unknown input leads to a server-side request forgery vulnerability. Using CWE to declare the problem leads to CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Bazarr manages and downloads subtitles. In version 1.2.4, the proxy method in bazarr/bazarr/app/ui.py does not validate the user-controlled protocol and url variables and passes them to requests.get() without any sanitization, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting GET requests to internal and external resources on behalf of the server. 1.3.1 contains a partial fix, which limits the vulnerability to HTTP/HTTPS protocols.

The weakness was shared 12/16/2023 as GHSL-2023-192. The advisory is available at securitylab.github.com. This vulnerability is handled as CVE-2023-50266 since 12/05/2023. Technical details are known, but there is no available exploit.

Upgrading to version 1.3.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 17add7fbb3ae1919a40d505470d499d46df9ae6b is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Vendor

• morpheus65535

Name

• bazarr

Version

• 1.2.4

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion