Plattform
other
Komponente
calibre
Behoben in
7.14.1
CVE-2024-6781 describes an arbitrary file access vulnerability discovered in Calibre, an e-book library software. This flaw allows unauthenticated attackers to read arbitrary files on the system, potentially exposing sensitive information. The vulnerability affects Calibre versions 7.14.0 through 7.14.0, and a fix is available in version 7.14.1.
The primary impact of CVE-2024-6781 is the potential for unauthorized access to sensitive files. An attacker exploiting this vulnerability could read configuration files, user data, or other critical system files. This could lead to data breaches, exposure of credentials, or further compromise of the system. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. While the vulnerability doesn't directly lead to code execution, the information gained from file access could be used to identify and exploit other vulnerabilities.
CVE-2024-6781 was publicly disclosed on August 6, 2024. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, due to the lack of authentication, warrants careful monitoring and prompt patching.
Users running Calibre version 7.14.0 are at immediate risk. This includes individuals using Calibre for personal e-book management and organizations deploying Calibre servers for library management. Shared hosting environments where Calibre is installed are particularly vulnerable, as multiple users may have access to the same instance.
• other / general: Monitor Calibre logs for unusual file access attempts. Look for requests targeting files outside of the expected Calibre data directories.
grep -i 'path traversal' /var/log/calibre/calibre.logdisclosure
Exploit-Status
EPSS
93.77% (100% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2024-6781 is to immediately upgrade Calibre to version 7.14.1 or later. If upgrading is not immediately feasible, consider restricting access to the Calibre installation directory. Implement strict file system permissions to limit the ability of unauthenticated users to access sensitive files. While a WAF or proxy cannot directly mitigate this file access vulnerability, they can be configured to monitor for suspicious file access attempts and alert administrators. After upgrading, confirm the fix by attempting to access a restricted file via the vulnerable endpoint and verifying that access is denied.
Actualice Calibre a una versión posterior a 7.14.0 para corregir la vulnerabilidad de path traversal. Esto evitará que atacantes no autenticados lean archivos arbitrarios en el sistema. Descargue la última versión desde el sitio web oficial de Calibre.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-6781 is a vulnerability in Calibre versions 7.14.0–7.14.0 that allows unauthenticated attackers to read arbitrary files on the system, potentially exposing sensitive data. It is rated as HIGH severity.
If you are using Calibre version 7.14.0, you are affected by this vulnerability. Upgrade to version 7.14.1 or later to mitigate the risk.
The recommended fix is to upgrade Calibre to version 7.14.1 or a later version. This resolves the path traversal vulnerability.
While no public exploits are currently known, the ease of exploitation suggests that it may be targeted. It's crucial to apply the patch promptly.
Refer to the Calibre project's official website and security announcements for the latest information and advisory regarding CVE-2024-6781: https://calibre-ebook.com/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.