Crocodilestick Calibre-Web-Automated Missing Authentication Vulnerability in Admin Endpoint

A missing authentication vulnerability has been identified in Crocodilestick Calibre-Web-Automated versions through 4.0.6. The issue resides in the Admin Endpoint, specifically within the file 'cps/cwa_functions.py'. This vulnerability allows remote attackers to trigger bulk processing operations on the entire library, such as converting files to EPUB format or rewriting existing EPUBs, which can lead to significant resource exhaustion and storage issues.

Impact

Exploitation of this vulnerability allows for unauthorized users to initiate resource-intensive library processing tasks, such as bulk EPUB file conversions and rewrites, which can cause substantial CPU and disk I/O usage, as well as rapid depletion of available storage space.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/cwa-epub-fixer-start' endpoint. This request will trigger the EPUB Fixer service, which processes all EPUB files in the library, creates backups, and can lead to excessive disk space usage. The '/cwa-convert-library-start' endpoint can also be used to convert non-EPUB files to EPUB, further increasing resource consumption.

Remediation

Users are advised to update to the latest version of Calibre-Web-Automated, where this vulnerability has been addressed.