BookLore Authentication Bypass Vulnerability in Media Endpoints Allowing Unauthenticated Access to Book Content

An authentication bypass vulnerability has been identified in BookLore versions through 1.8.1, specifically within the BookMediaController. This vulnerability allows any unauthenticated user to access and download book covers, thumbnails, and complete PDF or CBX page content without authorization. The issue arises because several media endpoints lack proper access control annotations, and the CoverJwtFilter improperly processes requests without authentication tokens. As a result, attackers can enumerate and exfiltrate all book content from the system, completely bypassing the intended download permissions.

Impact

Exploitation of this vulnerability leads to unauthorized access and download of book content, including cover images and complete PDF or CBX page content. This bypasses the application's permission system, allowing users to access content without the required authorization. Additionally, the vulnerability could be exploited to scrape entire book collections, violating copyright laws by enabling unauthorized distribution of copyrighted materials.

Reproduction

To reproduce this vulnerability, send a request to one of the unauthenticated media endpoints, such as '/book/{bookId}/cover' or '/book/{bookId}/pdf/pages/{pageNumber}'. The request will be processed without authentication, allowing access to the requested book content. This vulnerability can be exploited manually or automated with a script that enumerates book IDs and downloads available content.

Remediation

Users are advised to update to BookLore version 1.8.2 or later, where this vulnerability has been patched.