cbcvebase.
CVE-2024-6782
published 2024-08-06

CVE-2024-6782: Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
83.39%
99.6th percentile
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.

Affected

5 ranges
VendorProductVersion rangeFixed in
calibrecalibre>= 0 < 6.13.0+repack-2+deb12u46.13.0+repack-2+deb12u4
calibrecalibre>= 0 < 7.16.0+ds-17.16.0+ds-1
calibrecalibre>= 0 < 7.16.0+ds-17.16.0+ds-1
calibrecalibre6.9.0 – 7.14.0
debiancalibre< calibre 6.13.0+repack-2+deb12u4 (bookworm)calibre 6.13.0+repack-2+deb12u4 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

url/interface-data/books-init
url/cdb/cmd/list
port8080
commandpython:def evaluate(a, b): import subprocess try: return subprocess.check_output(['cmd.exe', '/c', 'whoami']) except Exception: return subprocess.check_output(['sh', '-c', 'whoami'])
  • Alert on Calibre content server traffic on TCP port 8080 from unauthenticated sources, especially where the Content-Type is application/json and the body contains 'subprocess' or 'evaluate'.
  • Use Shodan/FOFA queries to identify exposed Calibre content servers: Shodan query 'html:"Calibre"' and FOFA query '"Server: calibre"'.
  • Match HTTP 200 JSON responses containing the regex pattern b'([^']+) following a POST to /cdb/cmd/list — this indicates successful command output returned from the injected payload.
  • ·The Calibre content server is disabled by default; exploitation is only possible if the administrator has explicitly enabled it.
  • ·The vulnerable version range spans Calibre 6.9.0 through 7.14.0; the Metasploit module references up to 7.15.0, so detections should cover this full range.
  • ·The injected payload executes in the same OS user context as the Calibre process; impact severity depends on the privilege level of the running Calibre instance.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.