Miggo Logo

CVE-2021-3986: Generation of Error Message Containing Sensitive Information in janeczku/calibre-web

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.14905%
Published
11/15/2024
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
calibrewebpip< 0.6.150.6.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the remove_from_shelf function in shelf.py, where pre-patch versions included shelf.name in error messages (lines 217-221). The GitHub patch shows these lines were modified to remove shelf.name interpolation. The CVE description specifically references line 221 in shelf.py as the vulnerable location, and the commit diff confirms the sensitive data exposure was in this function's error handling logic. The function's permission check failure path directly leaked shelf names through both logging and user-facing error messages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in j*n**zku/**li*r*-w** *llows un*ut*oriz** us*rs to vi*w t** n*m*s o* priv*t* s**lv*s **lon*in* to ot**r us*rs. T*is issu* o**urs in t** *il* s**l*.py *t lin* ***, w**r* t** n*m* o* t** s**l* is *xpos** in *n *rror m*ss*** w**n * us*

Reasoning

T** vuln*r**ility st*ms *rom t** r*mov*_*rom_s**l* *un*tion in s**l*.py, w**r* pr*-p*t** v*rsions in*lu*** s**l*.n*m* in *rror m*ss***s (lin*s ***-***). T** *it*u* p*t** s*ows t**s* lin*s w*r* mo*i*i** to r*mov* s**l*.n*m* int*rpol*tion. T** *V* **s*