Platform
python
Component
calibre-web
Fixed in
0.6.18
CVE-2022-0990 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the janeczku/calibre-web GitHub repository. This flaw allows attackers to trick the application into making requests to arbitrary internal or external resources, potentially exposing sensitive data or enabling unauthorized access. The vulnerability affects versions of calibre-web prior to 0.6.18, and a patch has been released to address the issue.
The SSRF vulnerability in calibre-web allows an attacker to craft malicious requests that are executed by the server. This can be exploited to access internal services that are not directly exposed to the internet, such as databases, administration panels, or other internal APIs. An attacker could potentially read sensitive configuration files, extract credentials, or even execute commands on the underlying server if the internal services are vulnerable. The impact is particularly severe if calibre-web is deployed in an environment with sensitive internal resources or if it's used to manage access to critical data.
CVE-2022-0990 was publicly disclosed on April 4, 2022. While no active exploitation campaigns have been definitively linked to this vulnerability, the SSRF nature of the flaw makes it a potential target for automated scanning and exploitation. The vulnerability is not currently listed on CISA KEV, but its CRITICAL severity warrants careful attention. Public proof-of-concept exploits are available, demonstrating the ease of exploitation.
Exploit Status
EPSS
0.29% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0990 is to upgrade calibre-web to version 0.6.18 or later. This version includes a fix that prevents the SSRF vulnerability. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests to suspicious internal or external URLs. Additionally, restrict network access to calibre-web to only authorized users and systems. Regularly review and update the application's configuration to minimize the attack surface.
Update calibre-web to version 0.6.18 or higher. This version contains a fix for the SSRF vulnerability. The update can be performed through the pip package manager or by downloading the latest version from the repository and replacing the files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0990 is a critical Server-Side Request Forgery vulnerability in calibre-web versions before 0.6.18, allowing attackers to make requests to internal resources.
Yes, if you are running calibre-web versions 0.6.18 or earlier, you are vulnerable to this SSRF attack.
Upgrade calibre-web to version 0.6.18 or later to patch the SSRF vulnerability. Consider WAF rules as a temporary mitigation.
While no confirmed active campaigns are publicly known, the SSRF nature of the vulnerability makes it a potential target for exploitation.
Refer to the calibre-web GitHub repository for the advisory and release notes: https://github.com/janeczku/calibre-web/releases/tag/0.6.18
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.