Platform
python
Component
calibreweb
Fixed in
0.6.17
0.6.17
CVE-2022-0766 describes a server-side request forgery (SSRF) vulnerability affecting calibreweb versions up to 0.6.16. This flaw allows attackers to craft malicious requests that the application forwards to internal or external resources, potentially leading to unauthorized access and data exfiltration. The vulnerability stems from an incomplete fix addressing CVE-2022-0339, specifically failing to properly filter the 0.0.0.0 address which resolves to localhost. A patch is available in version 0.6.17.
The SSRF vulnerability in calibreweb allows an attacker to initiate requests on behalf of the application, bypassing network security controls. An attacker could potentially scan internal networks for open ports and services, access sensitive data stored on internal servers, or even interact with internal APIs. The ability to resolve 0.0.0.0 to localhost means an attacker can directly target the calibreweb server itself, potentially leading to further exploitation. This vulnerability is particularly concerning given calibreweb's role as a web-based ebook management application, often deployed in environments with access to sensitive user data and library resources.
CVE-2022-0766 is related to CVE-2022-0339, indicating a potential pattern of incomplete fixes. Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and ease of exploitation. As of the current date, there is no confirmed reporting of active exploitation campaigns, but the vulnerability's critical severity warrants immediate attention. The CVE was published on 2022-03-08.
Exploit Status
EPSS
0.29% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0766 is to immediately upgrade calibreweb to version 0.6.17 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing 0.0.0.0 or other suspicious hostnames. Additionally, review and restrict network access policies to limit calibreweb's ability to connect to external resources. Monitor calibreweb logs for unusual outbound requests that might indicate exploitation attempts. After upgrading, confirm the fix by attempting a request with 0.0.0.0 as the hostname and verifying that it is blocked.
Update calibre-web to version 0.6.17 or higher. This version contains a fix for the SSRF vulnerability. You can update via the Python package manager (pip) or by following the upgrade instructions provided by the vendor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0766 is a critical server-side request forgery (SSRF) vulnerability in calibreweb versions up to 0.6.16, allowing attackers to send requests to internal resources.
You are affected if you are running calibreweb version 0.6.16 or earlier. Upgrade to 0.6.17 to resolve the vulnerability.
Upgrade calibreweb to version 0.6.17 or later. As a temporary workaround, implement a WAF rule to block requests containing 0.0.0.0.
While there are no confirmed reports of active exploitation, the vulnerability's critical severity makes it a high-priority target.
Refer to the calibreweb GitHub security advisory: https://github.com/advisories/GHSA-4w8p-x6g8-fv64
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.