CVE-2023-47619
📋 TL;DR
CVE-2023-47619 is a critical vulnerability in Audiobookshelf where users with update permissions can read arbitrary files, delete arbitrary files, and make unauthorized GET requests to external URLs. This leads to information disclosure and potential system compromise. All Audiobookshelf instances running version 2.4.3 or earlier are affected.
💻 Affected Systems
- Audiobookshelf
📦 What is this software?
Audiobookshelf by Audiobookshelf
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files (including configuration files with credentials), delete critical system files causing service disruption, and use the server as a proxy for attacks on internal networks or external systems.
Likely Case
Unauthorized access to sensitive audiobook metadata, user data, and configuration files. Potential for credential theft from configuration files.
If Mitigated
Limited to authorized users with update permissions only, restricting impact to what those users could already access through legitimate means.
🎯 Exploit Status
Exploitation requires authenticated user with update permissions. GitHub Security Lab has published detailed advisories with proof-of-concept information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/
Restart Required: Yes
Instructions:
No official patch available. Monitor the Audiobookshelf GitHub repository for updates and apply when available. Restart service after patching.
🔧 Temporary Workarounds
Restrict User Permissions
allRemove update permissions from all non-essential users. Only grant update permissions to absolutely necessary administrative accounts.
Network Segmentation
allPlace Audiobookshelf instances in isolated network segments to limit potential lateral movement and external request capabilities.
🧯 If You Can't Patch
- Immediately audit and restrict all user accounts with update permissions to only essential administrative users
- Implement strict network controls to prevent the server from making outbound requests to arbitrary URLs
🔍 How to Verify
Check if Vulnerable:
Check Audiobookshelf version. If version is 2.4.3 or earlier, the system is vulnerable.Check Version:
Check the Audiobookshelf web interface settings page or examine package/container versionVerify Fix Applied:
When patch becomes available, verify version is greater than 2.4.3 and test that users with update permissions can no longer perform arbitrary file operations.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from non-admin users
- GET requests to unexpected external domains
- File deletion operations in application logs
Network Indicators:
- Outbound HTTP requests from Audiobookshelf server to unusual domains
- Unusual file access patterns via network monitoring
SIEM Query:
source="audiobookshelf" AND (event="file_read" OR event="file_delete" OR event="external_request") AND user!="admin"🔗 References
- https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66
- https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/
- https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66
- https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/
