Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tOTgyLWg0ZjgtZzRoZs4ABBYf
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
Permalink: https://github.com/advisories/GHSA-m982-h4f8-g4hfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOTgyLWg0ZjgtZzRoZs4ABBYf
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 days ago
Updated: 1 day ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-m982-h4f8-g4hf, CVE-2021-3986
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3986
- https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548
- https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca
- https://github.com/advisories/GHSA-m982-h4f8-g4hf
Blast Radius: 0.0
Affected Packages
pypi:calibreweb
Dependent packages: 0Dependent repositories: 1
Downloads: 4,091 last month
Affected Version Ranges: < 0.6.15
Fixed in: 0.6.15
All affected versions: 0.6.12, 0.6.13, 0.6.14
All unaffected versions: 0.6.15, 0.6.16, 0.6.17, 0.6.18, 0.6.19, 0.6.20, 0.6.21, 0.6.22, 0.6.23, 0.6.24