E-book tool Calibre: Code smuggling due to critical security vulnerability
A critical security vulnerability in the e-book tool Calibre allows unregistered attackers to inject code. An update seals the leak.
(Image: Black Jack/Shutterstock.com)
There is a critical security gap in the Calibre e-book tool collection. Attackers can inject and execute arbitrary code without prior login. They can also read arbitrary files in the file system through another vulnerability. Updated Calibre packages close the security gaps.
According to the changelog, version 7.16 of Cal ibre fixes four vulnerabilities. The most serious is a gap in the content server, which allows attackers to inject and execute malicious code without prior authentication and thus gain full access to the computer. The discoverers at Starlabs explain the vulnerability in more detail in a press release. However, if the server has been provided with a password, attackers must know it (CVE-2024-6782, CVSS 9.8, risk"critical"). Another remedy is not to start the content server.
Calibre update corrects four vulnerabilities
Starlabs also reported a second vulnerability in Calibre, which also allows attackers to gain read access to arbitrary files without prior authentication. Due to an insufficient limitation of a path name to a restricted directory, they can execute a so-called path traversal, i.e. navigate in the file system using path additions such as "../" (CVE-2024-6781, CVSS 7.5, high).
Videos by heise
The new version of the e-book management system also closes a cross-site scripting vulnerability (CVE-2024-7008, CVSS 5.4, medium) and an SQL injection leak (CVE-2024-7009, CVSS 4.2, medium). Updated installation packages are available for download on the Calibre project download page. There are packages for Linux, macOS and Windows, and a portable version is also available.
Anyone using Calibre to manage their e-book or article collection should download and install the updated software as soon as possible. In particular, if the installation is accessible from the network, at least a password should be set and access restricted to trusted persons. Calibre admins should consider making the server inaccessible on the Internet, for example by transferring it to a VPN.
(dmk)
