-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| calibreweb | pip | <= 0.6.24 |
Miggo AIRoot Cause AnalysisThe vulnerability is a blind OS command injection in Calibre Web and Autocaliweb. Based on the provided advisory and the patch for Autocaliweb, the root cause is the improper handling of the config_rarfile_location parameter.
The attack vector is as follows:
/admin/ajaxconfig endpoint, setting the config_rarfile_location parameter to the absolute path of a binary on the server (e.g., /usr/bin/whoami or a malicious script).ajax_config function in cps/admin.py, which in turn calls _configuration_update_helper._configuration_update_helper function calls _config_string, which eventually calls ConfigSQL.set_from_dictionary to save the malicious path to the configuration without proper validation._configuration_update_helper calls helper.check_unrar with the user-controlled path. This function (or a function it calls, like process_open as mentioned in the advisory) executes the path using subprocess.Popen, resulting in the execution of the binary.The patch applied to Autocaliweb addresses this by adding a whitelist validation check within the ConfigSQL.set_from_dictionary method in cps/config_sql.py. This prevents any unauthorized paths from being saved in the configuration, thus mitigating the command injection vulnerability at the source.
The identified vulnerable functions would appear in a runtime profile during exploitation, starting from the web request handler ajax_config down to the functions that process and store the malicious input.
PythonPythonOngoing coverage of React2Shell