CVE-2023-50259

Medusa is an automatic video library manager for TV shows. Versions prior to 1.0.19 are vulnerable to unauthenticated blind server-side request forgery (SSRF). The testslack request handler in medusa/server/web/home/handler.py does not validate the user-controlled slack_webhook variable and passes it to the notifiers.slack_notifier.test_notify method, then _notify_slack and finally _send_slack method, which sends a POST request to the user-controlled URL on line 103 in /medusa/notifiers/slack.py, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting POST requests on behalf of the Medusa server. Version 1.0.19 contains a fix for the issue.

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/664.html

References

• https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/notifiers/slack.py#L103
• https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/server/web/home/handler.py#L168
• https://github.com/pymedusa/Medusa/releases/tag/v1.0.19
• https://github.com/pymedusa/Medusa/security/advisories/GHSA-8mcr-vffr-jwxv
• https://securitylab.github.com/advisories/GHSL-2023-201_GHSL-2023-202_Medusa/
• https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/notifiers/slack.py#L103
• https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/server/web/home/handler.py#L168
• https://github.com/pymedusa/Medusa/releases/tag/v1.0.19
• https://github.com/pymedusa/Medusa/security/advisories/GHSA-8mcr-vffr-jwxv
• https://securitylab.github.com/advisories/GHSL-2023-201_GHSL-2023-202_Medusa/