CVE-2022-0939
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Calibre-Web, an open-source web application for managing eBook collections. Attackers can exploit this vulnerability to make the server send unauthorized requests to internal systems, potentially accessing sensitive data or services. All users running Calibre-Web versions prior to 0.6.18 are affected.
💻 Affected Systems
- Calibre-Web
📦 What is this software?
Calibre Web by Janeczku
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, perform port scanning of internal networks, or chain with other vulnerabilities to achieve remote code execution.
Likely Case
Unauthorized access to internal HTTP services, data exfiltration from internal systems, or reconnaissance of internal network infrastructure.
If Mitigated
Limited impact with proper network segmentation, egress filtering, and input validation controls in place.
🎯 Exploit Status
Exploitation requires authentication to Calibre-Web. The fix commit shows the vulnerability was in URL validation logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.18
Vendor Advisory: https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367
Restart Required: Yes
Instructions:
1. Backup your Calibre-Web data and configuration. 2. Stop the Calibre-Web service. 3. Update to version 0.6.18 or later using your package manager or by downloading from GitHub. 4. Restart the Calibre-Web service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allRestrict Calibre-Web server's outbound network access to only necessary services
Use firewall rules to block outbound HTTP/HTTPS from Calibre-Web server except to required external services
Input Validation Enhancement
allImplement additional URL validation at the web application firewall or proxy layer
Configure WAF rules to block SSRF patterns in URL parameters
🧯 If You Can't Patch
- Implement strict network egress filtering to prevent the server from accessing internal services
- Deploy a web application firewall with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check Calibre-Web version. If version is less than 0.6.18, the system is vulnerable.Check Version:
Check the Calibre-Web web interface settings page or run: python3 -c "import calibreweb; print(calibreweb.__version__)" if installed via pipVerify Fix Applied:
After updating, verify the version is 0.6.18 or higher and test URL functionality with known SSRF test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Calibre-Web server to internal IP addresses
- Multiple failed authentication attempts followed by URL parameter manipulation
Network Indicators:
- HTTP requests from Calibre-Web server to internal services (192.168.x.x, 10.x.x.x, 172.16.x.x ranges)
- Unusual port scanning patterns originating from Calibre-Web server
SIEM Query:
source_ip="calibre-web-server-ip" AND (dest_ip=192.168.0.0/16 OR dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12) AND protocol=HTTP🔗 References
- https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367
- https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4
- https://github.com/janeczku/calibre-web/commit/4545f4a20d9ff90b99bbd4e3e34b6de4441d6367
- https://huntr.dev/bounties/768fd7e2-a767-4d8d-a517-e9dda849c6e4
