Weak Password Requirements in janeczku/calibre-web

Vulnerability

CVE-2023-2106 identifies a weakness in password requirements within the Calibre-Web application [1]. The software prior to version 0.6.20 does not enforce strong password policies, allowing users to set weak passwords that are easily guessable or susceptible to brute-force attacks [2]. The root cause is the lack of password complexity validation during account creation or password changes.

Exploitation

An attacker can exploit this vulnerability by enumerating usernames and attempting common passwords or conducting brute-force attacks against the application's login endpoint. No special network access is required beyond being able to reach the web interface. User interaction is not needed for exploitation; an automated script can be used [4].

Impact

Successful exploitation allows an attacker to gain unauthorized access to a victim's account. Depending on the user's permissions, this could lead to viewing, downloading, or modifying eBooks in the Calibre database. For administrative accounts, full control over the application and its data may be achieved [1].

Mitigation

The vulnerability is fixed in version 0.6.20 of Calibre-Web [3]. Users should update to this version or later to enforce stronger password policies. There is no evidence this CVE has been added to the CISA Known Exploited Vulnerabilities catalog.