CVE-2022-30765
📋 TL;DR
CVE-2022-30765 is a SQL injection vulnerability in Calibre-Web's user table functionality that allows attackers to execute arbitrary SQL commands. This affects all Calibre-Web instances running versions before 0.6.18. Attackers could potentially access, modify, or delete database contents including user credentials and book metadata.
💻 Affected Systems
- Calibre-Web
📦 What is this software?
Calibre Web by Janeczku
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, data destruction, and potential remote code execution via database functions.
Likely Case
Unauthorized access to user data, privilege escalation, and potential data exfiltration from the Calibre database.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited with readily available tools. Authentication is required but could be bypassed through other means.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.18 and later
Vendor Advisory: https://github.com/janeczku/calibre-web/blob/master/SECURITY.md
Restart Required: Yes
Instructions:
1. Backup your Calibre-Web data and configuration. 2. Stop the Calibre-Web service. 3. Update to version 0.6.18 or later using your package manager or by downloading from GitHub. 4. Restart the Calibre-Web service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation to sanitize user inputs before processing.
# Requires modifying application code to add input validation
Web Application Firewall
allDeploy a WAF with SQL injection protection rules.
# Configure WAF rules to block SQL injection patterns
🧯 If You Can't Patch
- Isolate the Calibre-Web instance from untrusted networks using firewall rules.
- Implement strict access controls and monitor for suspicious database queries.
🔍 How to Verify
Check if Vulnerable:
Check the Calibre-Web version in the web interface or configuration files. If version is below 0.6.18, it's vulnerable.Check Version:
Check the web interface or examine the application files for version information.Verify Fix Applied:
After updating, verify the version shows 0.6.18 or higher and test user functionality works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple failed login attempts followed by successful access
- Database error messages containing SQL syntax
Network Indicators:
- Unusual database connection patterns
- HTTP requests with SQL fragments in parameters
SIEM Query:
source="calibre-web" AND ("sql" OR "database error" OR "syntax error")