Cyber Resilience

CVE-2024-6781

High

Published: 06 August 2024

Published
06 August 2024
Modified
19 August 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9372 99.9th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6781 is a high-severity Path Traversal (CWE-22) vulnerability in Calibre-Ebook Calibre. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Calibre versions up to and including 7.14.0 contain a path traversal vulnerability tracked as CVE-2024-6781 and assigned CWE-22. The flaw permits unauthenticated remote attackers to read arbitrary files on the affected system, reflected in its CVSS 3.1 score of 7.5 with network attack vector, low complexity, and no required privileges or user interaction.

An attacker can send crafted requests over the network to traverse directories and retrieve sensitive files without authentication, potentially exposing configuration data, user documents, or other restricted content hosted by the Calibre instance.

The referenced GitHub commit bcd0ab12c41a887f8290a9b56e46c3a29038d9c4 implements the fix in the Calibre codebase, and the Star Labs advisory at starlabs.sg provides further technical details on the issue. The associated EPSS score remains elevated near 0.94 with negligible movement between its recorded peak and current values.

EU & UK References

Vulnerability details

Path traversal in Calibre <= 7.14.0 allow unauthenticated attackers to achieve arbitrary file read.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

calibre-ebook
calibre
≤ 7.14.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References