A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
History

Tue, 19 Nov 2024 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Janeczku
Janeczku calibre-web
CPEs cpe:2.3:a:janeczku:calibre-web:*:*:*:*:*:*:*:*
Vendors & Products Janeczku
Janeczku calibre-web
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Fri, 15 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Calibre-web Project
Calibre-web Project calibre-web
CPEs cpe:2.3:a:calibre-web_project:calibre-web:-:*:*:*:*:*:*:*
Vendors & Products Calibre-web Project
Calibre-web Project calibre-web
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 15 Nov 2024 11:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they do not own. This vulnerability discloses private information and affects all versions prior to the fix.
Title Information Disclosure in janeczku/calibre-web
Weaknesses CWE-209
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-11-15T10:52:21.551Z

Updated: 2024-11-15T18:31:36.752Z

Reserved: 2021-11-20T11:08:36.338Z

Link: CVE-2021-3986

cve-icon Vulnrichment

Updated: 2024-11-15T18:31:26.082Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-15T11:15:06.400

Modified: 2024-11-19T17:12:50.000

Link: CVE-2021-3986

cve-icon Redhat

No data.