Miggo Logo
Miggo Vulnerability Database
CVE-2021-3987

CVE-2021-3987: Improper Access Control in janeczku/calibre-web

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2021-3987
GHSA ID
GHSA-fj5v-w2jp-wqvj
EPSS Score
0.12338%
CWE
CWE-284
Published
11/15/2024
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
calibrewebpip< 0.6.150.6.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies the create_shelf method in shelf.py as the source of the flaw. The GitHub commit diff shows the patch added a permission check (current_user.role_edit_shelfs()) specifically in this function for POST requests. The absence of this authorization check in pre-patch versions directly matches the CWE-284 and CWE-862 descriptions of missing access control.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n improp*r ****ss *ontrol vuln*r**ility *xists in j*n**zku/**li*r*-w**. T** *****t** v*rsion *llows us*rs wit*out pu*li* s**l* p*rmissions to *r**t* pu*li* s**lv*s. T** vuln*r**ility is *u* to t** `*r**t*_s**l*` m*t*o* in `s**l*.py` not v*ri*yin* i*

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s t** *r**t*_s**l* m*t*o* in s**l*.py *s t** sour** o* t** *l*w. T** *it*u* *ommit *i** s*ows t** p*t** ***** * p*rmission ****k (*urr*nt_us*r.rol*_**it_s**l*s()) sp**i*i**lly in t*is *un*tion *or P