CVE-2021-3987
📋 TL;DR
This vulnerability allows users without proper permissions to create public shelves in Calibre-Web, potentially exposing sensitive book collections. It affects all Calibre-Web instances where user accounts exist and public shelf functionality is enabled. The issue stems from missing permission checks in the shelf creation method.
💻 Affected Systems
- janeczku/calibre-web
📦 What is this software?
Calibre Web by Janeczku
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users create public shelves containing sensitive or private book collections, exposing them to all users or potentially the public internet if the instance is internet-facing.
Likely Case
Users with limited permissions create unintended public shelves, potentially exposing books they shouldn't have access to share.
If Mitigated
Only users with explicit public shelf permissions can create public shelves, maintaining proper access control.
🎯 Exploit Status
Exploitation requires authenticated user access but no special permissions. Simple HTTP request to create shelf endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit bcdc97641447965af486964537f3821f47b28874 and later
Vendor Advisory: https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874
Restart Required: Yes
Instructions:
1. Update Calibre-Web to commit bcdc97641447965af486964537f3821f47b28874 or later. 2. Restart the Calibre-Web service. 3. Verify the fix by testing shelf creation with non-privileged users.
🔧 Temporary Workarounds
Disable public shelf functionality
allTemporarily disable public shelf creation until patched
Modify configuration to restrict shelf creation permissions or disable public shelves entirely
Restrict user permissions
allReview and tighten user permissions to minimize attack surface
Audit all user accounts and remove unnecessary permissions
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized shelf creation
- Disable public shelf functionality entirely in configuration
🔍 How to Verify
Check if Vulnerable:
Test with a non-admin user account: attempt to create a public shelf via the web interface or API. If successful without proper permissions, instance is vulnerable.Check Version:
Check Calibre-Web version in web interface or examine git commit hash in installation directoryVerify Fix Applied:
After patching, repeat the test with a non-admin user. Public shelf creation should fail with permission error.📡 Detection & Monitoring
Log Indicators:
- Log entries showing shelf creation by users without public_shelf permission
- Unexpected public shelf creation events
Network Indicators:
- HTTP POST requests to /ajax/create/shelf endpoint from unauthorized users
SIEM Query:
source="calibre-web" AND (event="shelf_creation" OR path="/ajax/create/shelf") AND user_permissions NOT CONTAINS "public_shelf"