CVE-2023-50264 in bazarr
Summary
by MITRE • 12/15/2023
Bazarr manages and downloads subtitles. Prior to 1.3.1, Bazarr contains an arbitrary file read in /system/backup/download/ endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/16/2023
The vulnerability identified as CVE-2023-50264 affects Bazarr, a subtitle management and download application that allows users to organize and fetch subtitles for their media files. This particular flaw exists in the web interface component of the application, specifically within the /system/backup/download/ endpoint located in the bazarr/app/ui.py file. The vulnerability represents a critical security weakness that could potentially allow unauthorized access to sensitive system files and data.
The technical flaw stems from inadequate input validation within the application's codebase where user-controlled filename variables are not properly sanitized or validated before being processed. When a user makes a request to the vulnerable endpoint, the application directly passes the filename parameter to the send_file function without implementing proper security checks or path validation. This oversight creates a path traversal condition that allows attackers to manipulate the filename parameter and access arbitrary files on the system where Bazarr is running. The vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.
The operational impact of this vulnerability is significant as it enables remote attackers to read any file that the Bazarr process has permission to access on the underlying operating system. This could potentially expose sensitive configuration files, user credentials, system logs, or other confidential data stored on the same server. Attackers could leverage this vulnerability to gain unauthorized access to system resources, potentially leading to further exploitation or data breaches. The vulnerability is particularly concerning in environments where Bazarr is deployed on servers with elevated privileges or where it might be accessing files with sensitive information.
The remediation for this vulnerability was implemented in version 1.3.1 of Bazarr, where proper input validation was added to the filename parameter processing. This fix ensures that user-controlled input is properly sanitized and validated before being used in file operations. Security best practices recommend implementing strict input validation, using allowlists for acceptable file names, and employing proper access controls to prevent unauthorized file access. Organizations should immediately upgrade to version 1.3.1 or later to protect against this arbitrary file read vulnerability. The fix addresses the underlying issue by implementing proper security controls that align with ATT&CK technique T1213.002, which involves data from information repositories, by preventing unauthorized access to system files through proper input validation and access control mechanisms.
This vulnerability demonstrates the critical importance of input validation in web applications, particularly when dealing with file operations and user-provided data. The flaw represents a classic example of how insufficient security controls in web interfaces can lead to severe consequences, highlighting the necessity of implementing defense-in-depth strategies that include proper input sanitization, access controls, and regular security assessments. Organizations using Bazarr should conduct thorough security reviews of their deployment environments and ensure that all systems are updated with the latest security patches to prevent exploitation of this and similar vulnerabilities.