CVE-2023-46303

NameCVE-2023-46303
Descriptionlink_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
calibre (PTS)buster3.39.1+dfsg-3vulnerable
bullseye5.12.0+dfsg-1+deb11u1vulnerable
bookworm6.13.0+repack-2+deb12u3fixed
sid, trixie7.10.0+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
calibresourcebookworm6.13.0+repack-2+deb12u3
calibresource(unstable)6.19.1-1

Notes

[bullseye] - calibre <no-dsa> (Minor issue)
[buster] - calibre <no-dsa> (Minor issue)
https://github.com/0x1717/ssrf-via-img
https://github.com/kovidgoyal/calibre/commit/bbbddd2bf4ef4ddb467b0aeb0abe8765ed7f8a6b (v6.19.0)

Search for package or bug name: Reporting problems