CVE-2023-50265 in bazarr
Summary
by MITRE • 12/15/2023
Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/16/2023
The vulnerability identified as CVE-2023-50265 affects the Bazarr application, a subtitle management and download tool designed to facilitate automated subtitle acquisition for media files. This security flaw exists within the application's web interface and represents a critical arbitrary file read vulnerability that could potentially allow attackers to access sensitive files on the underlying system. The vulnerability specifically resides in the /api/swaggerui/static endpoint located in the bazarr/app/ui.py file, where inadequate input validation creates a pathway for malicious exploitation. The affected version range includes all releases prior to 1.3.1, making a significant portion of the user base potentially vulnerable to this security issue.
The technical implementation of this vulnerability stems from the improper handling of user-controlled input within the send_file function call. When the application processes requests to the swaggerui static endpoint, it accepts a filename parameter that should be validated before being used in the file system operations. The lack of proper validation allows an attacker to manipulate the filename parameter to traverse the file system and access files that should remain protected. This type of vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The flaw essentially allows an attacker to bypass normal access controls and read arbitrary files from the server's file system.
The operational impact of this vulnerability extends beyond simple information disclosure, as it could potentially expose sensitive system information, configuration files, or even authentication credentials stored on the affected system. Attackers could leverage this vulnerability to gain insights into the application's internal structure, system configuration, and potentially access other files that might contain sensitive data. The vulnerability affects the application's web interface specifically, meaning that exploitation would require network access to the Bazarr instance, but once exploited, could provide attackers with access to files that are not intended to be publicly accessible. This creates a significant risk for users who operate Bazarr on systems with sensitive data or in environments where the application might be exposed to untrusted networks.
The remediation for this vulnerability was implemented in version 1.3.1 of the Bazarr application, where proper input validation was added to the filename parameter processing. This fix ensures that user-controlled input is properly sanitized before being used in file system operations, preventing the path traversal attack vector that previously existed. Organizations using Bazarr should immediately upgrade to version 1.3.1 or later to mitigate this vulnerability. Additionally, system administrators should implement network segmentation and access controls to limit exposure of the Bazarr application to untrusted networks. The vulnerability also highlights the importance of proper input validation in web applications, particularly when dealing with file system operations. From an ATT&CK framework perspective, this vulnerability maps to technique T1213.002 which involves data from information repositories, and T1566.002 which covers spearphishing via web applications, as the vulnerability could be exploited through web-based attack vectors. Organizations should also consider implementing web application firewalls and monitoring for suspicious file access patterns that might indicate exploitation attempts.