CVE-2021-3986

Advisory

Affected versions of cps in calibre-web are vulnerable to Generation of Error Message Containing Sensitive Information (CWE-209). This vulnerability allows attackers to obtain the names of private shelves through error messages when attempting unauthorized actions such as adding or removing books. The attack vector involves triggering these actions, resulting in logs or user-facing flash messages that include shelf.name in shelf.py. To mitigate, upgrade to the version that removes the exposure of shelf names from error messages, thereby preventing information leakage.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://huntr.com/bounties/394af194-61a7-4e33-b373-877d4c766fca
• https://github.com/janeczku/calibre-web/commit/6f5390ead5df9779ac81fadefffb476e03f93548
• https://github.com/advisories/GHSA-m982-h4f8-g4hf
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3986