Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1majV2LXcyanAtd3F2as4ABBYg
Improper Access Control in janeczku/calibre-web
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the create_shelf method in shelf.py not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1majV2LXcyanAtd3F2as4ABBYg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 days ago
Updated: 1 day ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-fj5v-w2jp-wqvj, CVE-2021-3987
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3987
- https://github.com/janeczku/calibre-web/commit/bcdc97641447965af486964537f3821f47b28874
- https://huntr.com/bounties/29fcc091-87b6-43bc-ab4b-3c0bec3f71df
- https://github.com/advisories/GHSA-fj5v-w2jp-wqvj
Blast Radius: 0.0
Affected Packages
pypi:calibreweb
Dependent packages: 0Dependent repositories: 1
Downloads: 4,091 last month
Affected Version Ranges: < 0.6.15
Fixed in: 0.6.15
All affected versions: 0.6.12, 0.6.13, 0.6.14
All unaffected versions: 0.6.15, 0.6.16, 0.6.17, 0.6.18, 0.6.19, 0.6.20, 0.6.21, 0.6.22, 0.6.23, 0.6.24