CVE-2023-50266: 
NixOS vulnerability analysis and mitigation

CVE-2023-50266 affects Bazarr, a software that manages and downloads subtitles. The vulnerability was discovered in version 1.2.4, where the proxy method in bazarr/bazarr/app/ui.py contained a blind server-side request forgery (SSRF) vulnerability. The issue was disclosed on December 15, 2023, and received a CVSS v3.1 base score of 5.3 (Medium) (NVD).

The vulnerability exists in the proxy method where user-controlled protocol and url variables are passed to requests.get() without proper sanitization. This implementation allows for crafting GET requests to both internal and external resources on behalf of the server. Version 1.3.1 introduced a partial fix that limits the vulnerability to HTTP/HTTPS protocols (GitHub Security Lab).

The vulnerability enables attackers to craft GET requests to internal and external resources using the server's privileges. This could potentially allow attackers to access internal network resources or make requests to external systems impersonating the server (GitHub Security Lab).

The issue has been partially addressed in Bazarr version 1.3.1, which limits the vulnerability to HTTP/HTTPS protocols. Users are advised to upgrade to this version or later. The fix includes changes to the proxy method implementation to prevent arbitrary file read and blind SSRF (GitHub Commit).