Plattform
python
Komponente
calibre-web
Behoben in
0.6.18
CVE-2022-0990 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the janeczku/calibre-web GitHub repository. This flaw allows attackers to trick the application into making requests to arbitrary internal or external resources, potentially exposing sensitive data or enabling unauthorized access. The vulnerability affects versions of calibre-web prior to 0.6.18, and a patch has been released to address the issue.
The SSRF vulnerability in calibre-web allows an attacker to craft malicious requests that are executed by the server. This can be exploited to access internal services that are not directly exposed to the internet, such as databases, administration panels, or other internal APIs. An attacker could potentially read sensitive configuration files, extract credentials, or even execute commands on the underlying server if the internal services are vulnerable. The impact is particularly severe if calibre-web is deployed in an environment with sensitive internal resources or if it's used to manage access to critical data.
CVE-2022-0990 was publicly disclosed on April 4, 2022. While no active exploitation campaigns have been definitively linked to this vulnerability, the SSRF nature of the flaw makes it a potential target for automated scanning and exploitation. The vulnerability is not currently listed on CISA KEV, but its CRITICAL severity warrants careful attention. Public proof-of-concept exploits are available, demonstrating the ease of exploitation.
Organizations running calibre-web versions prior to 0.6.18, particularly those with sensitive internal resources accessible from the network, are at significant risk. Shared hosting environments where calibre-web is deployed alongside other applications are also vulnerable, as an attacker could potentially exploit the SSRF to gain access to other services on the same server.
• python / server:
journalctl -u calibre-web | grep -i "Server-Side Request Forgery"• generic web:
curl -I <calibre-web-url>/internal-resource # Check for access to internal resources
grep -r "http://localhost:8080" /path/to/calibre-web/source-code # Search for hardcoded internal URLsdisclosure
patch
Exploit-Status
EPSS
0.29% (52% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-0990 is to upgrade calibre-web to version 0.6.18 or later. This version includes a fix that prevents the SSRF vulnerability. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests to suspicious internal or external URLs. Additionally, restrict network access to calibre-web to only authorized users and systems. Regularly review and update the application's configuration to minimize the attack surface.
Actualice calibre-web a la versión 0.6.18 o superior. Esta versión contiene una corrección para la vulnerabilidad SSRF. La actualización se puede realizar a través del gestor de paquetes pip o descargando la última versión del repositorio y reemplazando los archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-0990 is a critical Server-Side Request Forgery vulnerability in calibre-web versions before 0.6.18, allowing attackers to make requests to internal resources.
Yes, if you are running calibre-web versions 0.6.18 or earlier, you are vulnerable to this SSRF attack.
Upgrade calibre-web to version 0.6.18 or later to patch the SSRF vulnerability. Consider WAF rules as a temporary mitigation.
While no confirmed active campaigns are publicly known, the SSRF nature of the vulnerability makes it a potential target for exploitation.
Refer to the calibre-web GitHub repository for the advisory and release notes: https://github.com/janeczku/calibre-web/releases/tag/0.6.18
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.