Lucene search
Scara31499688C4-6AC4-4047-A868-7922C3EAB369HistoryDec 20, 2021 - 11:47 a.m.
Server-Side Request Forgery (SSRF) in janeczku/calibre-web
2021-12-2011:47:34
scara31
www.huntr.dev
134
ssrf
calibre-web
localhost
admin
staff
blind
vulnerability
port scanning
poc
ngrok
bug bounty
EPSS
0.002
Percentile
62.1%
Title
Blind SSRF via URL fetch
Summary
calibre-web allows external URL fetching in order to upload a book cover. However, instead of external URL it is possible to point to localhost, which will be reached resulting in blind SSRF.
Steps to reproduce
- 1. As an admin give permissions to upload files and edit books to any staff.
- 2. As an admin run any server on localhost to see the SSRF.
- 3. As a malicious staff go to books section -> select any book -> edit metadata -> in the
Fetch Cover from URLfield specify the address of service that you ran as an admin -> save the book. - 4. As an admin observe that service on localhost was reached.
PoC:
As a service for PoC I used python simple server - python -m http.server 1234.
Also you may tunnel calibre-web server using ngrok - ngrok http 1234 - to prove that it is exploitable in real environment (I already did, just wanted to make video PoC as short as possible).
Video PoC
Impact
This vulnerability is capable of port scanning and even may execute some actions on victim’s side in case there are sensitive services on localhost.
References
Related
veracode
veracode
Server-Side Request Forgery (SSRF)
2022-01-31 21:39:17
osv
osv
CVE-2022-0339
2022-01-30 14:15:07
Server-Side Request Forgery in calibreweb
2022-02-01 00:48:54
PYSEC-2022-23
2022-01-30 14:15:00
github
github
Server-Side Request Forgery in calibreweb
2022-02-01 00:48:54
Server-Side Request Forgery in calibreweb
2022-03-08 00:00:31
cvelist
cvelist
CVE-2022-0339 Server-Side Request Forgery (SSRF) in janeczku/calibre-web
2022-01-30 13:17:54
prion
prion
Server side request forgery (ssrf)
2022-01-30 14:15:00
nvd
nvd
CVE-2022-0339
2022-01-30 14:15:07
cve
cve
CVE-2022-0339
2022-01-30 14:15:07