CVE-2022-0766

Name of the Vulnerable Software and Affected Versions calibre-web versions prior to 0.6.17

Description The issue is related to Server-Side Request Forgery (SSRF) in the GitHub repository janeczku/calibre-web. This is due to an incomplete fix, which results in the blacklist not checking for 0.0.0.0, allowing a payload of 0.0.0.0 to resolve to localhost.

Recommendations For versions prior to 0.6.17, update to version 0.6.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the localhost endpoint to minimize the risk of exploitation.