CVE-2024-6782: Critical Unauthenticated Remote Code Execution in Calibre (<= 7.14.0)

ISGroup Cybersecurity

Calibre is a popular open-source e-book management software that supports features such as conversion, viewing, and library sharing. The software includes a content server for remote access to e-books, which, if not properly configured, can expose users to significant risks. Calibre versions from 6.9.0 to 7.14.0 contain a vulnerability that allows unauthenticated attackers to execute arbitrary code remotely.

ProductCalibre
Date2025-01-10 09:45:24
Information
  • Trending
  • Fix Available

Technical Summary

CVE-2024-6782 describes an improper access control vulnerability in Calibre versions from 6.9.0 to 7.14.0, where the content server fails to adequately restrict remote access. An unauthenticated attacker can exploit this flaw to achieve Remote Code Execution (RCE) by sending a specially crafted request to the /cdb/cmd/list endpoint. The vulnerability stems from the server’s improper handling of user-controlled data passed to Python’s subprocess module, thereby allowing direct command injection. The issue poses a critical risk as it could lead to full system compromise if the content server is publicly exposed. Security researchers have verified the vulnerability, which has been publicly disclosed.

Recommendations

  • Update Immediately: Users must update to a patched version of Calibre later than 7.14.0, in which the vulnerability has been resolved.
  • Limit Content Server Exposure: If an immediate update is not possible, restrict access to the content server using firewall rules or network segmentation.
  • Disable Unnecessary Services: Disable the content server functionality if it is not essential.
  • Input Sanitization: Ensure that all user-controlled data is properly validated and sanitized before being passed to system commands.

[Callforaction-THREAT-Footer]