Calibre-Web up to 0.6.15 access control

Summaryinfo

A vulnerability has been found in Calibre-Web up to 0.6.15 and classified as critical. This impacts an unknown function. This manipulation causes access control. This vulnerability is handled as CVE-2022-0405. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as critical was found in Calibre-Web up to 0.6.15. Affected by this vulnerability is an unknown part. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality.

The weakness was released 04/04/2022. The advisory is shared at huntr.dev. This vulnerability is known as CVE-2022-0405 since 01/28/2022. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 0.6.16 eliminates this vulnerability. Applying the patch 3b216bfa07ec7992eff03e55d61732af6df9bb92 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Calibre-Web

Version

• 0.6.0
• 0.6.1
• 0.6.2
• 0.6.3
• 0.6.4
• 0.6.5
• 0.6.6
• 0.6.7
• 0.6.8
• 0.6.9
• 0.6.10
• 0.6.11
• 0.6.12
• 0.6.13
• 0.6.14
• 0.6.15

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion