CVE-2024-43797

Name of the Vulnerable Software and Affected Versions Audiobookshelf versions prior to 2.13.0

Description Audiobookshelf is a self-hosted audiobook and podcast server where a non-admin user is not allowed to create libraries or access only the ones they have permission to. However, the LibraryController is missing the check for admin user, allowing a path traversal issue. This enables non-admin users to write to any directory in the system, which can be restricted to only admin permissions, making it a Role-Based Access Control (RBAC) issue. The issue has been addressed in release version 2.13.0.

Recommendations For versions prior to 2.13.0, upgrade to version 2.13.0 to resolve the issue. As a temporary workaround, consider restricting access to the LibraryController to minimize the risk of exploitation. There are no known workarounds for this vulnerability other than upgrading to the fixed version.