CVE-2022-2525
📋 TL;DR
CVE-2022-2525 is an authentication brute-force vulnerability in Calibre-Web that allows attackers to make unlimited login attempts without rate limiting. This affects all users running Calibre-Web versions prior to 0.6.20. Attackers can potentially guess credentials and gain unauthorized access to the system.
💻 Affected Systems
- Calibre-Web
📦 What is this software?
Calibre Web by Janeczku
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to the entire Calibre-Web library, potential data theft, and further system compromise if the compromised account has administrative privileges.
Likely Case
Unauthorized access to user accounts through brute-force password guessing, potentially exposing personal reading data and library contents.
If Mitigated
Limited to failed login attempts that are logged and monitored, with no successful unauthorized access.
🎯 Exploit Status
Exploitation requires no authentication and can be performed with simple brute-force tools. The vulnerability is well-documented in public repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.20
Vendor Advisory: https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e
Restart Required: Yes
Instructions:
1. Backup your current Calibre-Web installation and database. 2. Update to version 0.6.20 or later using your package manager or by downloading from GitHub. 3. Restart the Calibre-Web service. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Implement Web Application Firewall (WAF) Rate Limiting
allConfigure rate limiting rules for login endpoints to restrict excessive authentication attempts.
# Example nginx rate limiting configuration
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /login {
limit_req zone=login burst=10 nodelay;
}
Network-Level Access Controls
linuxRestrict access to Calibre-Web to trusted IP ranges only using firewall rules.
# Example iptables rule to restrict access
sudo iptables -A INPUT -p tcp --dport 8083 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8083 -j DROP
🧯 If You Can't Patch
- Implement strong password policies and monitor for brute-force attempts in logs
- Place Calibre-Web behind a reverse proxy with rate limiting enabled
🔍 How to Verify
Check if Vulnerable:
Check the Calibre-Web version in the web interface or configuration files. If version is below 0.6.20, the system is vulnerable.Check Version:
Check the Calibre-Web web interface footer or run: grep -i version /path/to/calibre-web/version.py 2>/dev/null || echo 'Check web interface'Verify Fix Applied:
After updating, verify the version shows 0.6.20 or higher in the web interface or via the version check command.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from the same IP address
- Rapid succession of POST requests to /login endpoint
- Unusual login patterns outside normal hours
Network Indicators:
- High volume of HTTP POST requests to login endpoint
- Traffic patterns showing brute-force tools in User-Agent strings
SIEM Query:
source="calibre-web" (method="POST" AND uri_path="/login" AND response_status="401") | stats count by src_ip | where count > 10🔗 References
- https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e
- https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0
- https://github.com/janeczku/calibre-web/commit/49e4f540c9b204c7e39b3c27ceadecd83ed60e7e
- https://huntr.dev/bounties/9ff87820-c14c-4454-9764-406496254ef0
