CVE-2021-3986: Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.14905%
CWE
Published
11/15/2024
Updated
11/19/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
calibreweb | pip | < 0.6.15 | 0.6.15 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the remove_from_shelf function in shelf.py, where pre-patch versions included shelf.name in error messages (lines 217-221). The GitHub patch shows these lines were modified to remove shelf.name interpolation. The CVE description specifically references line 221 in shelf.py as the vulnerable location, and the commit diff confirms the sensitive data exposure was in this function's error handling logic. The function's permission check failure path directly leaked shelf names through both logging and user-facing error messages.