Vulnerabilities > CVE-2023-47619 - Server-Side Request Forgery (SSRF) vulnerability in Audiobookshelf
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response. This issue may lead to Information Disclosure. As of time of publication, no patches are available.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66
- https://github.com/advplyr/audiobookshelf/blob/d7b2476473ef1934eedec41425837cddf2d4b13e/server/controllers/AuthorController.js#L66
- https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/
- https://securitylab.github.com/advisories/GHSL-2023-203_GHSL-2023-204_audiobookshelf/