CVE-2023-50264 – CVE-2023-50264 is an arbitrary file read vulner... (How to Fix)

Q: What is the severity of CVE-2023-50264?

CVE-2023-50264 has a CVSS score of 7.5 (HIGH). CVE-2023-50264 is an arbitrary file read vulnerability in Bazarr subtitle management software. Attackers can read any file on the system by manipulating the filename parameter in the backup download endpoint. All Bazarr users running versions before 1.3.1 are affected.

📋 TL;DR

CVE-2023-50264 is an arbitrary file read vulnerability in Bazarr subtitle management software. Attackers can read any file on the system by manipulating the filename parameter in the backup download endpoint. All Bazarr users running versions before 1.3.1 are affected.

💻 Affected Systems

Products:

Bazarr

Versions: All versions prior to 1.3.1

Operating Systems: All platforms running Bazarr (Linux, Windows, macOS, Docker)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of Bazarr before version 1.3.1 are vulnerable. The vulnerability exists in the web interface component.

📦 What is this software?

Bazarr by Bazarr

View all CVEs affecting Bazarr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive files like SSH keys, configuration files, or database credentials, potentially leading to lateral movement or data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive configuration files, subtitle files, or other application data stored on the server.

🟢

If Mitigated

Limited impact if proper network segmentation and file permissions restrict access to sensitive system files.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is part of the web interface and can be exploited remotely if exposed to the internet.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through compromised internal systems, but requires network access to the Bazarr instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to the Bazarr web interface. The vulnerability is simple to exploit with basic web request manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.1

Vendor Advisory: https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1

Restart Required: Yes

Instructions:

1. Stop Bazarr service. 2. Backup your configuration. 3. Update to version 1.3.1 via package manager, Docker pull, or manual installation. 4. Restart Bazarr service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Bazarr web interface to trusted IPs only

# Using firewall (example for Linux iptables)
iptables -A INPUT -p tcp --dport 6767 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 6767 -j DROP

Authentication Hardening

all

Implement strong authentication and consider using reverse proxy with additional authentication

# Ensure strong password in Bazarr settings
# Configure reverse proxy (nginx example)
location / {
  auth_basic "Restricted";
  auth_basic_user_file /etc/nginx/.htpasswd;
  proxy_pass http://localhost:6767;
}

🧯 If You Can't Patch

Implement strict network segmentation to isolate Bazarr from sensitive systems
Enable detailed logging and monitoring for suspicious file access patterns

🔍 How to Verify

Check if Vulnerable:

Check Bazarr version in web interface Settings > System or run: grep 'version' /path/to/bazarr/data/config/config.ini

Check Version:

docker exec bazarr python -c "import bazarr; print(bazarr.__version__)" or check web interface Settings > System

Verify Fix Applied:

Confirm version is 1.3.1 or higher in web interface or configuration file

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in /system/backup/download/ endpoint
Requests with path traversal sequences (../) in filename parameter
Access to files outside expected backup directory

Network Indicators:

HTTP requests to /system/backup/download/ with suspicious filename parameters
Unusual outbound data transfers following file read requests

SIEM Query:

source="bazarr.log" AND (uri_path="/system/backup/download/" AND filename CONTAINS "../")

📊 Metadata

CVE ID: CVE-2023-50264

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: December 15, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b Patch
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1 Release Notes
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/ Exploit,Third Party Advisory
https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b Patch
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1 Release Notes
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50264, you might also want to check these: