Update Your Bazarr Subtitle Manager to Patch File Read Vulnerability

CVECVE-2023-50265
CVSScvssV3_1: 7.5
SourceCVE-2023-50265

Bazarr is a popular open source tool for managing and downloading subtitles for your media collection. A recent security issue was discovered in Bazarr that could allow attackers to read arbitrary files on systems where it is installed.

The vulnerability resides in the Bazarr API endpoint used for displaying documentation. It fails to validate user input passed to the “filename” parameter, which is then used to send the requested file back to the user. By specifying a file path the user doesn’t have access to, an attacker could exploit this to read files they shouldn’t have access to.

This could result in sensitive data like passwords, private keys or configuration files being exposed. While Bazarr doesn’t contain particularly sensitive data itself, as a system-level tool it has broader access than most applications.

The good news is this issue has now been addressed in Bazarr version 1.3.1. All Bazarr users are encouraged to update immediately to patch their installation and protect themselves from any potential attacks exploiting this file read vulnerability. Keeping your software up-to-date is one of the best ways to stay secure online.

If you’re currently running an earlier version of Bazarr, be sure to update to the latest version straight away to close this file access loophole and help secure your media server against intrusion or data theft. Staying on top of application updates is key to maintaining good cybersecurity hygiene.

References