Update Your Bazarr Subtitle Downloader to Patch Arbitrary File Read Vulnerability

CVECVE-2023-50264
CVSScvssV3_1: 7.5
SourceCVE-2023-50264

Bazarr is a popular open source tool for managing and downloading subtitles for your media collection. A vulnerability was recently discovered in older versions of Bazarr that could allow attackers to read arbitrary files on systems where it is installed.

The vulnerability lies in the /system/backup/download/ endpoint in Bazarr’s UI code. This endpoint does not properly validate user-supplied filename parameters before using it to send files back to the requester. An attacker could potentially craft requests to this endpoint to read files they shouldn’t have access to.

This arbitrary file read vulnerability has a CVSS score of 7.5 out of 10, making it an important issue to patch. An attacker exploiting this flaw may be able to access sensitive configuration files, passwords, or other private user data stored on the system.

Bazarr developers have addressed the issue in version 1.3.1. All Bazarr users are advised to update their installation to the latest 1.3.1 version or newer as soon as possible. Proper validation of user-controlled parameters is important to prevent arbitrary file read and other security issues. Regularly checking for and applying software updates is also recommended to stay protected from known vulnerabilities.

References