Platform
python
Component
calibreweb
Fixed in
0.6.17
0.6.17
CVE-2022-0767 describes a server-side request forgery (SSRF) vulnerability present in calibreweb versions up to 0.6.16. This flaw allows attackers to bypass inadequate SSRF protection mechanisms by exploiting HTTP redirects, potentially enabling access to internal resources. The vulnerability was published on March 8, 2022, and a fix is available in version 0.6.17.
The SSRF vulnerability in calibreweb allows an attacker to craft HTTP requests that are unknowingly executed by the server. By leveraging HTTP redirects (302 status codes), an attacker can redirect requests to internal services running on localhost. This effectively bypasses the intended SSRF protection, granting the attacker the ability to interact with and potentially extract data from internal resources that are not directly exposed to the public internet. A successful exploitation could lead to unauthorized access to sensitive data, configuration files, or even the ability to trigger actions on internal systems. The impact is particularly severe if calibreweb is deployed in an environment with sensitive internal services.
CVE-2022-0767 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is available, indicating a moderate risk of exploitation. The vulnerability was publicly disclosed on March 8, 2022, coinciding with the CVE publication date. Active exploitation campaigns have not been definitively confirmed, but the availability of a PoC suggests potential for opportunistic attacks.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0767 is to upgrade calibreweb to version 0.6.17 or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to calibreweb from untrusted sources using a Web Application Firewall (WAF) or proxy server. Configure the WAF to block requests containing suspicious redirect URLs. Carefully review and harden the configuration of any internal services accessible from localhost to minimize potential damage from unauthorized access. Monitor calibreweb logs for unusual activity, particularly requests containing redirect URLs.
Update calibre-web to version 0.6.17 or higher. This version contains a fix for the SSRF vulnerability. The update can be performed via the pip package manager or by downloading the latest version from the GitHub repository and replacing the files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0767 is a critical server-side request forgery vulnerability in calibreweb versions up to 0.6.16, allowing attackers to bypass SSRF protection via HTTP redirects.
Yes, if you are running calibreweb version 0.6.16 or earlier, you are vulnerable to this SSRF vulnerability.
Upgrade calibreweb to version 0.6.17 or later to resolve the SSRF vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.
While active exploitation campaigns are not confirmed, the availability of a public proof-of-concept suggests a potential risk of exploitation.
Refer to the calibreweb project's official website or GitHub repository for the advisory and release notes related to CVE-2022-0767.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.