Platform
other
Component
calibre
Fixed in
7.14.1
CVE-2024-6781 describes an arbitrary file access vulnerability discovered in Calibre, an e-book library software. This flaw allows unauthenticated attackers to read arbitrary files on the system, potentially exposing sensitive information. The vulnerability affects Calibre versions 7.14.0 through 7.14.0, and a fix is available in version 7.14.1.
The impact of CVE-2024-6781 is significant due to its ease of exploitation and the potential for data exposure. An attacker could leverage this vulnerability to read configuration files, user data, or even parts of the operating system. This could lead to the compromise of user accounts, intellectual property theft, or further system exploitation. The lack of authentication requirements means that any user with network access to a Calibre instance could potentially exploit this vulnerability. While not directly leading to remote code execution, the information gained could be used to identify other vulnerabilities or attack vectors.
CVE-2024-6781 was publicly disclosed on August 6, 2024. No known public proof-of-concept exploits are currently available, but the ease of exploitation suggests that one may emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the simplicity of the path traversal, it is considered a medium probability exploit.
Exploit Status
EPSS
93.77% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6781 is to upgrade Calibre to version 7.14.1 or later. If upgrading is not immediately feasible, consider restricting network access to the Calibre instance to prevent external exploitation. While a direct workaround is not available, implementing strict file system permissions and access controls can help limit the potential damage if the vulnerability is exploited. Regularly review Calibre's configuration and ensure it adheres to security best practices. After upgrading, confirm the fix by attempting to access a restricted file via the vulnerable endpoint and verifying that access is denied.
Actualice Calibre a una versión posterior a 7.14.0 para corregir la vulnerabilidad de path traversal. Esto evitará que atacantes no autenticados lean archivos arbitrarios en el sistema. Descargue la última versión desde el sitio web oficial de Calibre.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6781 is a vulnerability in Calibre versions 7.14.0–7.14.0 that allows unauthenticated attackers to read arbitrary files on the system, potentially exposing sensitive data. It is rated as HIGH severity.
If you are using Calibre version 7.14.0, you are affected by this vulnerability. Upgrade to version 7.14.1 or later to mitigate the risk.
The recommended fix is to upgrade Calibre to version 7.14.1 or a later version. This resolves the path traversal vulnerability.
While no public exploits are currently known, the ease of exploitation suggests that it may be targeted. It's crucial to apply the patch promptly.
Refer to the Calibre project's official website and security announcements for the latest information and advisory regarding CVE-2024-6781: https://calibre-ebook.com/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.